EP3823244B1 - High availability for network security devices - Google Patents
High availability for network security devices Download PDFInfo
- Publication number
- EP3823244B1 EP3823244B1 EP20211030.0A EP20211030A EP3823244B1 EP 3823244 B1 EP3823244 B1 EP 3823244B1 EP 20211030 A EP20211030 A EP 20211030A EP 3823244 B1 EP3823244 B1 EP 3823244B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- packet
- application
- backup
- network device
- transaction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 claims description 55
- 230000004044 response Effects 0.000 claims description 17
- 238000012545 processing Methods 0.000 claims description 11
- 230000008569 process Effects 0.000 claims description 9
- 238000007689 inspection Methods 0.000 description 56
- 238000004891 communication Methods 0.000 description 35
- 238000001514 detection method Methods 0.000 description 24
- 239000000872 buffer Substances 0.000 description 13
- 230000002265 prevention Effects 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 239000000284 extract Substances 0.000 description 7
- 230000004069 differentiation Effects 0.000 description 6
- 238000012546 transfer Methods 0.000 description 5
- 230000007704 transition Effects 0.000 description 5
- 230000009471 action Effects 0.000 description 3
- 238000004873 anchoring Methods 0.000 description 3
- 150000001875 compounds Chemical class 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 239000003550 marker Substances 0.000 description 2
- 238000000926 separation method Methods 0.000 description 2
- 230000003044 adaptive effect Effects 0.000 description 1
- 230000002730 additional effect Effects 0.000 description 1
- 230000027455 binding Effects 0.000 description 1
- 238000009739 binding Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 230000007723 transport mechanism Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Definitions
- This disclosure relates to computer networks and, more particularly, to security devices used within computer networks.
- high availability computer network environments The goal of high availability computer network environments is to provide users and other entities with "always on" service. That is, high availability computer network environments should provide reliable, continuous operation service. To accomplish this, network devices in a high availability environment perform error detection and implement recoverability for detected errors. Unfortunately, network devices occasionally fail. For example, a software or hardware problem or a power fault within a security device may cause all or a portion of the security device to stop functioning.
- a network device When a network device fails, all network traffic flowing through the failed network device may cease. For an enterprise that depends on such network traffic, this may be unacceptable, even if this failure occurs only for a short time.
- redundant hardware such as a backup controller or a separate backup network device may be installed.
- the backup device may be quickly substituted for the master device. In other words, the failing network device "fails over" to the backup device.
- a master device may also "switch over" to the backup device to go offline temporarily, e.g., to install software and/or firmware updates or to undergo other routine maintenance procedures. In general, failover is considered a form of switchover. After failing over or switching over to the backup device, the backup device becomes the master device. High availability clusters often include such primary and backup network devices.
- IDP intrusion detection and prevention
- IDP devices inspects application layer (that is, OSI Layer Seven) data to attempt to detect malicious traffic.
- IDP devices execute one or more complex finite automata or algorithms, using the application layer data as input, to detect patterns and event sequences that are indicative of malicious traffic.
- This complex detection process often requires generation and maintenance of substantial state information that describes the current traffic patterns and events of the current application-layer session. The substantial state information often prohibits the effective use of high availability with respect to IDP devices.
- US 2006/062142 A1 relates to cooperative TCP / BGP window management for stateful switchover.
- US 2008/163248 A1 relates to a system and a method for comoleteness of TCP data in TCP HA.
- FIG. 1 is a block diagram illustrating an example in which primary intrusion detection and prevention (IDP) device 16 and backup IDP device 20 provide effective high-availability IDP services within computing environment 10.
- IDP intrusion detection and prevention
- primary IDP device 16 and backup IDP device 20 synchronize application-layer IDP state for intercepted network sessions that flow between source devices 12 and destination devices 24.
- primary IDP device 16 performs stateful inspection of application-layer data for packet flows between source devices 12 and destination devices 24.
- Each of source devices 12 may establish an application-layer communication session with one or more of destination devices 24, where each communication session typically comprises a pair of packet flows between the source devices and the destination devices.
- packet flow refers to a set of packets originating from a particular one of source devices 12 and sent to a particular one of destination devices 24 as part of an application-layer network session between the one of source devices 12 and the one of destination devices 24, where each flow is typically identified by a five-tuple of source IP address, destination IP address, source port, destination port, a transport-layer protocol (e.g., TCP, UDP or the like).
- a set of packets originating from a particular one of destination devices 24 and sent to a particular one of source devices 12 as part of a corresponding network session also forms a packet flow.
- Source devices 12 are also referred to as "clients” and destination devices 24 are also referred to as "servers,” in some contexts.
- a network session comprises two packet flows between two devices, each of the packet flows being in opposite directions.
- source devices 12 are coupled to primary IDP device 16 and backup IDP device 20 via network 14, and primary IDP device 16 and backup IDP device 20 are coupled to destination devices 24 via network 22.
- any or all of source devices 12 may be coupled to primary IDP device 16 and backup IDP device 20 directly or through other networks similar to network 14.
- network 14 and network 22 typically include one or more network devices, such as, for example, routers, switches, bridges, gateways, hubs, or security devices.
- Primary IDP device 16 and backup IDP device 20 are also coupled via data link 18.
- primary IDP device 16 and backup IDP device 20 are directly coupled via data link 18. In other examples, however, primary IDP device 16 and backup IDP device 20 are coupled via intermediate network devices.
- network 14 includes a router or switch that directs traffic to primary IDP device 16 and/or backup IDP device 20.
- a switch at the edge of network 14 directs packet flows to primary IDP device 16 while primary IDP device 16 remains active.
- the switch updates forwarding information such that network traffic is directed to backup IDP device 20, instead of primary IDP device 16.
- Primary IDP device 16 may restart, recover from an error, be replaced, or otherwise become active again, in which case primary IDP device 16 becomes active and primary, after which backup IDP device 20 reverts to acting as a backup, rather than as the primary. Accordingly, after primary IDP device 16 becomes active again, the switch again updates the forwarding information such that network traffic is directed to primary IDP device 16, rather than backup IDP device 20.
- Primary IDP device 16 and backup IDP device 20 form a high availability cluster. Accordingly, primary IDP device 16 and backup IDP device 20 are configured in "cluster mode.” In general, traffic that passes through a high-availability cluster establishes an active session on a primary node, e.g., primary IDP device 16, and the primary node establishes a backup session on a backup node, e.g., backup IDP device 20, and synchronizes the active session to the backup node.
- the term "high availability” generally refers to network devices or services that are “always on,” that is, that are reliable, provide error detection and recoverability, and provide continuous operation. In the example of FIG.
- backup IDP device 20 performs as a primary IDP device when primary IDP device 16 encounters an error or otherwise goes offline. That is, primary IDP device 16 fails over or switches over to backup IDP device 20, in the event of an error or an event that causes primary IDP device 16 to go offline. For example, primary IDP device 16 may switchover to backup IDP device 20 to perform a software update that requires a restart of primary IDP device 16.
- primary IDP device 16 sends application-layer IDP state data for packet flows (e.g., synchronization messages) and control messages (e.g., heartbeat or keepalive messages) to backup IDP device 20 via different links between primary IDP device 16 and backup IDP device 20. These links may comprise separate physical links or separate logical links over the same physical medium.
- backup IDP device 20 determines that primary IDP device 16 is still active by receiving periodic keepalive messages.
- backup IDP device 20 determines that primary IDP device 16 is no longer active, and so backup IDP device 20 becomes active, treating the failure of primary IDP device 16 to send an expected keepalive message as a failover event.
- primary IDP device 16 and backup IDP device 20 perform stateful inspection of application-layer data of packet flows between source devices 12 and destination devices 24. That is, primary IDP device 16 executes application-layer protocol decoders that process application-layer communications and output transaction data that identifies application-layer transactions. In particular, the transaction data indicates when a series of related application-layer communications between two peer devices start and end. Primary IDP device 16 then applies intrusion detection algorithms such as signature matching using deterministic finite automaton (DFA) or other algorithms to each transaction to detect acceptable and unacceptable application layer data. In some examples, primary IDP device 16 and backup IDP device 20 comprise particular DFAs for each type of application-layer protocol that can be inspected by IDP devices.
- DFA deterministic finite automaton
- the DFA begins in a start state for application layer components of transactions of an application of a packet flow, such that upon reaching the end of a component, the IDP device determines whether the end state of the DFA corresponds to an accept state, a non-threat state, an attack state, or other state that indicates whether the transaction indicates that the packet flow is malicious.
- the DFAs may be referred to herein as "application layer component-based DFAs" in that, when applied, each DFA may begin at a start state upon detecting a beginning of an application-layer component of a transaction and be configured to resolve to either an acceptable state or unacceptable state before or upon reaching the completion of that same application-layer component of the transaction within the application-layer data being processed.
- the detection algorithms applied by the DFAs may be configured to be compartmentalized on a per-transaction basis so as not to cross application-layer transaction boundaries. This may assist with the anchoring and processing of existing packet flows upon failover to backup IDP device 20.
- the use of DFAs to detect network attacks is discussed in greater detail in U.S. Application No. 12/568,319, "NETWORK TRAFFIC PATTERN MATCHING USING ADAPTIVE DETERMINISTIC FINITE AUTOMATA," Ma et al., filed September 28, 2009 , and U.S. Application No.
- Primary IDP device 16 is configured to detect new communication sessions between source devices 12 and destination devices 24 and, for each communication session, determine an application-layer protocol for the session inspecting the intial packets of the packet flow, e.g., using protocol decoders and/or application identification techniques.
- Example application identification techniques are discussed in U.S. Patent Application No. 12/432,325, Bums et al., "DETECTING MALICIOUS NETWORK SOFTWARE AGENTS,” filed April 29, 2009 , U.S. Patent Application No. 11/937,163, Yang et al., “Multi-layered Application Classification and Decoding," filed Nov. 8, 2007 , and U.S. Patent Application No. 11/835,923, Burns et al., "Identifying Applications for Intrusion Detection Systems," filed Aug. 8, 2007 , each of which are hereby incorporated by reference in their respective entireties.
- primary IDP device 16 sends relatively few application-layer IDP state update messages to backup IDP device 20 yet provide high-availability IDP services to existing communication sessions, i.e., communication sessions established prior to failover, as well as new sessions.
- primary IDP device 16 sends application-layer IDP state update messages to backup IDP device 20 for session events, such as creation of a new network session (e.g., when primary IDP device 16 identifies a previously unmonitored packet flow), deletion of an existing network session (e.g., upon detecting a close session message), and blocking of an existing network session (e.g., when primary IDP device 16 determines that a network session or packet flow thereof is malicious).
- primary IDP device 16 sends state updates to backup IDP device 20 for each transaction, to inform backup IDP device 20 of a marker, e.g., a TCP sequence number, that signals when a next application-layer transaction will begin in the packet flow.
- a marker e.g., a TCP sequence number
- a layer four TCP sequence number can be calculated by adding the length of the current transaction to the sequence number of the beginning of the current transaction, plus the lengths of other packet headers as necessary.
- primary IDP device 16 Upon identifying an application-layer protocol used for a communication session, primary IDP device 16 sends an application-layer IDP state update message to backup IDP device 20 to record the new session. Primary IDP device 16 treats the act of identifying an application-layer protocol that is in use for a packet flow as an initial session event for the IDP services. At this time, primary IDP device 16 sends a state update message to backup IDP device 20 that identifies the packet flow and includes an identification of the application-layer protocol associated with the packet flow.
- backup IDP device 20 uses the identity of the application-layer protocol specified by primary IDP device 16 to anchor the correct protocol decoder to the packet flow to detect the start of a new application-layer transaction and trigger commencement of renewed application-layer IDP services for the packet flow. For example, assuming that primary IDP device 16 determines that the application-layer protocol for the packet flow comprises HTTP, backup IDP device 20 may look for the beginning of a new HTTP request, e.g., a GET, HEAD, or POST request. Following failover, and upon detecting the end of a current transaction and the start of a new transaction, backup IDP device 20 begins inspecting application-layer data associated with a subsequent application-layer transaction. Although backup ID device 20 may perform some processing (e.g., stateless processing) of the application-layer data of packets that precede the beginning of the new transaction, backup IDP device 20 begins stateful processing only for transactions including and following the new transaction.
- backup ID device 20 may perform some processing (e.g., stateless processing) of the application-layer data of packet
- the techniques of this disclosure may prevent a restart of network sessions associated with packet flows being inspected by primary IDP device 16 upon a switchover or failover to backup IDP device 20, thereby allowing the IDP devices to achieve improved high-availability IDP services. Further, the high-availability IDP services may be achieved without requiring that primary IDP device 16 replicate each received packet of each packet flow to backup IDP device 20, which would consume far too many network and computational resources in high-volume networks.
- primary IDP device 16 informs backup IDP device 20 of identified application-layer protocols for newly detected communication sessions, and backup IDP device 20 begin inspecting packet flows following switchover or failover of primary IDP device 16 by anchoring an appropriate protocol decoder to an existing packet flow and synchronizing attack detection to the start of a new, subsequent transaction.
- these techniques also include primary IDP device 16, upon detecting a new application-layer transaction, informing backup IDP device 20 of a TCP sequence number or other marker that may be used as an aid by the backup IDP device to predict the start of the next transaction.
- Primary IDP device 16 sends application-layer IDP state update messages to backup IDP device 20 via data link 18 for a particular packet flow when primary IDP device 16 detects the end of a current transaction.
- the end of a transaction is signaled in different ways, in various examples. Primarily, the end of a transaction is signaled either by the presence of a delimiter value, such as a new line character, a line feed character, a carriage return character, or some combination thereof, or by having transactions of a particular length. Examples of new line and line feed characters include ' ⁇ n' and '0x0A'. Examples of carriage return characters include ' ⁇ r' and '0x0D'. Other characters can also be used as delimiters to designate the end of a transaction.
- delimiters that designate the end of a transaction are defined according to an application and/or application-layer protocol. Accordingly, primary IDP device 16 and backup IDP device 20 are configured to recognize delimiters corresponding to application-layer protocols and applications that are recognized by primary IDP device 16 and backup IDP device 20.
- primary IDP device 16 When the end of a transaction is signaled by a delimiter value, primary IDP device 16 does not need to send messages to backup IDP device 20 for each transaction. Instead, primary IDP device 16 can simply send application-layer IDP state messages for each network session event, such as a create, delete, block, or application identification event. When transactions are of a defined length, however, primary IDP device 16 informs backup IDP device 20 of TCP sequence numbers that indicate the start of a next transaction. In particular, primary IDP device 16 calculates the TCP sequence number corresponding to the next transaction as the sum of the TCP sequence number of the first packet of a current transaction, the length of the transaction, and any additional length added by packet headers not represented by the application layer payload of packets of the transaction.
- primary IDP device 16 When primary IDP device 16 determines the length of a transaction, primary IDP device 16 constructs an application-layer IDP state synchronization message including a sequence number corresponding to the start of a next transaction and forwards the state synchronization message to backup IDP device 20. Backup IDP device 20, in turn, updates state information for the packet flow in response to the state synchronization message.
- the techniques of this disclosure can be applied to any pair of primary/backup network elements in which sequence number awareness is needed.
- other security devices such as intrusion detection or intrusion prevention devices, Data Loss Prevention devices, and Web Security gateways, may perform the techniques of this disclosure.
- devices configured to perform uniform resource locator (URL) filtering can also be configured to perform the techniques of this disclosure.
- URL uniform resource locator
- any pair of devices in a high availability configuration that utilize protocol decoders can be configured to perform the techniques of this disclosure.
- backup IDP device 20 Rather than inspecting only new packet flows of new sessions following a switchover or failover, the techniques of this disclosure provide backup IDP device 20 with the ability to perform stateful inspection of packets of an existing packet flow following a switchover or failover.
- backup IDP device 20 uses the application-layer IDP state update messages received from primary IDP device 16 prior to a switchover or failover to determine when a new transaction of the packet flow begins, and backup IDP device 20 begins inspecting the packet flow at the new transaction and each subsequent transaction of the packet flow.
- backup IDP device 20 Following switchover or failover, backup IDP device 20 enters an "anchor mode" in which backup IDP device 20 searches for the beginning of a next transaction of a packet flow.
- Backup IDP device 20 inspects packets of the packet flow to detect either a delimiter representative of a new transaction, or a packet having a TCP sequence number that is equal to a TCP sequence number received from primary IDP device 16 indicative of a new transaction. In either case, backup IDP device 20 attempts to detect a packet representative of a last packet of a current transaction and/or a first packet of a new transaction to anchor a protocol decoder for the packet flow and begin inspecting the packet flow to determine whether the packet flow represents a network attack.
- a packet flow comprises a plurality of packets.
- Each of the plurality of packets may correspond to a particular transaction of the packet flow.
- one or more of the plurality of packets may correspond to a delimiter that is used to differentiate between two transactions. That is, each transaction of a packet flow may be followed by a delimiter to indicate a distinction between the transaction and a following transaction.
- determining that at least one of a plurality of packets corresponds to a first packet of a new transaction includes determining that the packet immediately following a delimiter corresponds to the first packet of the transaction.
- transactions may be defined to comprise a fixed number of bytes, described as a length of a transaction.
- each transaction of a packet flow has the same length, whereas in other examples, each transaction includes a length value in a transaction header that describes the length of the transaction, e.g., a number of bytes for the transaction.
- determining that at least one of a plurality of packets corresponds to the first packet of a transaction includes determining that the packet has a TCP sequence number that is equal to a largest TCP sequence number received from primary IDP device 16 that indicates the start of a new transaction.
- primary IDP device 16 sends a message that includes the TCP sequence number of the first packet of a new transaction, as well as a length of the transaction, and allows backup IDP device 20 to calculate the sequence number of the first packet of a next transaction.
- Packet synchronization numbers correspond to particular bytes of the packet flow, and therefore, the difference between the synchronization number of a first packet of a transaction and the synchronization of a last packet of the transaction corresponds to the length of the transaction.
- the first packet of a next transaction can be identified by calculating the difference between the sequence number of a received packet and the sequence number of the first packet of a transaction and, when the difference is equal to the transaction length, determining that the received packet is the first packet of the next transaction.
- System 10 of FIG. 1 may provide several advantages.
- configuration of primary IDP device 16 and backup IDP device 20 provide a lightweight mechanism for synchronizing session state and for continuing IDP inspection for network sessions following failover or switchover from primary IDP device 16 and backup IDP device 20 in the example high-availability environment of system 10.
- the techniques implemented by primary IDP device 16 and backup IDP device 20 scale well to systems that inspect various numbers of packet flows, as the communication required between primary IDP device 16 and backup IDP device 20 is minimal to maintain session synchronization.
- state synchronization occurs between primary IDP device 16 and backup IDP device 20, backup IDP device 20 is able to perform stateful packet inspection following switchover or failover from primary IDP device 16. In this manner, backup IDP device 20 is able to inspect packets of a new transaction as well as subsequent packets of the packet flows previously inspected by primary IDP device 16 following switchover or failover.
- FIG. 2 is a block diagram illustrating an example arrangement of components of primary IDP device 16 ( FIG. 1 ).
- Backup IDP device 20 may include components similar to those described with respect to FIG. 2 .
- primary IDP device 16 comprises input network interface 30, control unit 32, flow management module 34, stateful inspection engine 28, protocol decoders 36, forwarding component 31, output network interface 38, flow table 40, backup network device interface 42, and security management module 45.
- three distinct network interfaces are depicted in the example of FIG. 2 , other examples may include a single network interface that performs the functions attributed to input network interface 30, output network interface 38, and/or backup device network interface 42.
- Security management module 45 presents a user interface by which administrator 43 configures primary IDP device 16. For example, administrator 43 may configure primary IDP device 16 to monitor particular subnets of the enterprise network.
- security management module 45 presents a user interface by which administrator 43 may specify attack definitions 44, which security management module 45 relays to stateful inspection engine 28.
- attack definitions 44 comprise compound attack definitions.
- security management module 45 may present a user interface by which administrator 43 may modify assumptions regarding packet flow characteristics, such as the highest priority packet flows for monitoring, port bindings for applications, or other features of determining a type of application and protocol associated with the packet flow.
- primary IDP device 16 includes a forwarding plane 23 that transparently monitors inbound network traffic 25 and forwards the network traffic as outbound network traffic 26.
- forwarding plane 23 includes input network interface 30, flow management module 34, stateful inspection engine 28, a plurality of protocol decoders 36, forwarding component 31, output network interface 38, and backup device network interface 42.
- Primary IDP device 16 comprises control unit 32 that executes flow management module 34 and protocol decoders 36.
- Control unit 32 may comprise any combination of hardware, firmware, and/or software for performing the functions attributed to control unit 32.
- control unit 32 may comprise a programmable processor that executes instructions stored in a computer-readable storage medium.
- Primary IDP device 16 may comprise a computer-readable storage medium encoded with instructions for flow management module 34 and/or protocol decoders 36.
- flow management module 34 and/or protocol decoders 36 may comprise discrete hardware units, such as digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, or any combination of hardware, firmware, and/or software.
- DSPs digital signal processors
- ASICs application specific integrated circuits
- FPGAs field programmable gate arrays
- flow management module 34 determines, for packets received via input network interface 30, a packet flow to which the packets belong and characteristics of the packet flow.
- Flow management module 34 also provides session state updates, e.g., event updates and, for length encoded protocols, sequence number updates, actions taken with respect to a particular network device, packet flow, or network session (e.g., block, rate limit, time to block, etc.), or other state updates, to backup IDP device 20 for each packet flow.
- session state updates e.g., event updates and, for length encoded protocols, sequence number updates, actions taken with respect to a particular network device, packet flow, or network session (e.g., block, rate limit, time to block, etc.), or other state updates, to backup IDP device 20 for each packet flow.
- For each packet flow, flow management module 34 provides state updates to backup IDP device 20 for each packet flow event.
- primary IDP device 20 provides application-layer IDP state update messages at each new transaction to identify the TCP sequence number corresponding to a first packet of
- flow management module 34 constructs a state update message including information regarding the packet flow that indicates that a new packet flow has begun and is being monitored by primary IDP device 16.
- the state update message includes information such as, for example, the five-tuple ⁇ source IP address, destination IP address, source port, destination port, protocol ⁇ , and in some examples, an indication of how transactions are differentiated (e.g., whether defined length transactions or delimiters used to separate transactions, which particular delimiters are used, lengths of transactions, etc.)
- Flow management module 34 also sends application-layer IDP state update messages when an application corresponding to the packet flow is identified, where the message includes an identification of the application.
- Flow management module 34 receives inbound traffic 25 and identifies network flows within the traffic. Each network flow represents a flow of packets in one direction within the network traffic and is identified by at least a source address, a destination address and a communication protocol. Flow management module 34 may utilize additional information to specify network flows, including source media access control (MAC) address, destination MAC address, source port, and destination port. Other examples may use other information to identify network flows, such as IP addresses.
- MAC media access control
- Flow management module 34 maintains data within flow table 40 that describes each active packet flow present within the network traffic.
- Flow table 40 specifies network elements associated with each active packet flow, i.e., low-level information such as source and destination devices and ports associated with the packet flow.
- flow table 40 identifies pairs or groups of packet flows that collectively form a single communication session between a client and server. For example, flow table 40 may designate communication session as pairs of packet flows in opposite directions for flows sharing at least some common network addresses, ports and protocol.
- Flow management module 34 maintains flow table 40, which includes parameters of each packet flow monitored by primary IDP device 16.
- flow table 40 includes entries for each packet flow that include information such as packet flow identifying information, such as the five-tuple ⁇ source IP address, destination IP address, source port, destination port, protocol), an identification of the application corresponding to the packet flow, whether the packet flow is active or blocked, and how transactions are differentiated (e.g., whether delimiters or transaction lengths are used).
- Flow table 40 generally includes an entry for each packet flow monitored by primary IDP device 16.
- flow management module 34 extracts data from packets forming a three-way handshake of the packet flow to create a new entry in flow table 40.
- the three-way handshake generally includes a synchronization (SYN) packet from a client to a server, a synchronization-acknowledgement (SYN-ACK) packet from the server to the client, and an acknowledgement (ACK) packet from the client to the server.
- SYN synchronization
- SYN-ACK synchronization-acknowledgement
- ACK acknowledgement
- These packets also include session information, such as an initial sequence numbers for both the client (in the SYN packet) and the server (in the SYN-ACK packet).
- primary IDP device 16 begins inspecting packets of a new packet flow to identify an application-layer protocol for the packet flow. Upon identifying the protocol, primary IDP device 16 sends an IDP state update message to backup IDP device 20 via backup device network interface, where the IDP state update message identifies the new packet flow and includes an identification of the application-layer protocol that has been identified as used within the payload of the packets.
- the manner in which transactions are differentiated is defined by the application-layer protocol.
- primary IDP device 16 explicitly informs backup IDP device 20 of the manner in which transactions are differentiated, using the state update message that indicates the identified application-layer protocol.
- primary IDP device 16 includes in the state update message indicating the identified protocol whether the manner in which transactions are differentiated includes the use of delimiters, in which case primary IDP device 16 may further indicate which delimiters are used, or the use of defined lengths of transactions, in which case primary IDP device 16 may further indicate the length of each transaction in the state update message or in individual messages for each new transaction.
- Flow management module 34 determines whether transactions are defined using delimiters or fixed length sequences of bits/bytes. In examples in which delimiters are used to indicate the separation between transactions, flow management module 34 also determines which delimiters apply to a protocol determined to correspond to the packet flow. In some examples, flow management module 34 determines the manner in which transactions are differentiated for the protocol (e.g., by looking for common delimiters such as new line and carriage return characters), while in other examples, control unit 32 determines how to distinguish transactions from each other based solely on the application-layer protocol identification. Flow management module 34 updates the entry corresponding to a packet flow when parameters for the packet flow change.
- Backup IDP device 20 also includes a local flow table similar to flow table 40.
- flow management module 34 determines that a received packet forms part of a new packet flow
- flow management module 34 sends the extracted information from the three-way handshake packets of the new packet flow (e.g., the packet flow identifying 5-tuple) to backup IDP device 20 via data link 18.
- Backup IDP device 20 creates a new entry for the new packet flow in the local flow table using data received from flow management module 34 of primary IDP device 16. In some examples, this information also includes the initial sequence number of the packet flow.
- backup IDP device 20 receives application-layer IDP state updates from primary IDP device 16, backup IDP device 20 updates a corresponding entry in the local flow table of backup IDP device 20.
- backup IDP device 20 begins receiving packets of packet flows previously monitored by primary IDP device 16.
- Backup IDP device 20 scans received packets of a packet flow to identify the beginning of a new application-layer transaction of the packet flow, e.g., by identifying a transaction delimiter within the application-layer data carried by the payload of the packet.
- backup IDP device 20 determines that a packet having a sequence number equal to the sequence number of the last state update message from primary IDP device 16 corresponds to the first packet of a new transaction.
- backup IDP device 20 When backup IDP device 20 detects the first packet of a new transaction, backup IDP device 20 begins processing the new transaction to detect attacks in subsequent packets of the packet flow. In some examples, backup IDP device 20 forwards packets of the packet flow that are not part of the new application-layer transaction without inspecting these packets. In some examples, backup IDP device 20 drops the packets that are received before the new transaction. In this manner, following switchover or failover, backup IDP device 20 begins in an anchoring mode, awaits the start of a new application-layer transaction, anchors an application-layer protocol decoder to a point in the application-layer data where the new transaction begins, then switches to an attack detection and prevention mode and scans subsequent transactions using application layer component-based DFAs to attempt to identify and prevent malicious network traffic.
- stateful inspection engine 28 inspects packet flows to identify attacks within the packet flows.
- stateful inspection engine 28 inspects the packet flow to detect attacks operating at the application layer for the packet flows.
- stateful inspection engine 28 executes a programmed response, such as sending alert 41 to security management module 45 or instructing forwarding component 31 to drop packets of the packet flow or to end the network session corresponding to the packet flow.
- Stateful inspection engine 28 may also rate-limit the packet flow, i.e., throttle network sessions corresponding to detected attacks to a certain bitrate, such as 10 Mbits/second.
- Attack detection module 52 may also record an identifier of at least one of the network devices participating in the network session in flow table 35 and block future connection requests originating from the recorded identifier. That is, flow management module 34 may receive a connection request, determine that the connection request originates from the identifier recorded in flow table 40, and block the connection request.
- primary IDP device 16 may block future connection requests from the network device participating in the network session as the programmed response.
- Forwarding component 31 may also construct a message to send to other network devices, such as other routers or IDP, IDS, or IPS devices, to block or otherwise respond to packet flows from the source network device for which stateful inspection engine 28 detected an attack.
- Alert 41 may include details such as a source address of the packet flow, an identification of the application corresponding to the packet flow, the scores calculated for the metrics of the network session that led stateful inspection engine 28 to conclude that a particular network session was malicious, or other information regarding the network session.
- Primary IDP device 16 may use a minimum data size of the reassembled TCP segments, in addition to the signature, in order to identify applications corresponding to packet flows or encapsulated packet flows. Certain applications require a minimum amount of data, so primary IDP device 16 may distinguish malicious packet flows by determining whether the packet flow contains enough data for the identified protocol. Moreover, primary IDP device 16 may not necessarily recognize every application. In one example, when an application is unknown, primary IDP device 16 may simply forward the packet flow. Other examples take other actions for unidentified applications, however, such as discarding all packets which target unknown applications or applying a default signature to all packet flows associated with unknown application types. Other examples also apply the techniques of this disclosure to other protocols, such as the user datagram protocol (UDP). Primary IDP device 16 accordingly may require a minimum data size of UDP segments in order to identify the application associated with the UDP segments.
- UDP user datagram protocol
- stateful inspection engine 28 includes a co-processor to perform application identification.
- the co-processor may continually receive input in the form of the packet flow and may constantly perform application identification on the packet flow. For each chunk of the packet flow, the co-processor may return the identity or identities the application(s) that the co-processor identified.
- protocol decoders 36 include a set of one or more protocol-specific software modules that process application-layer communications 33 and output transaction data 39 that identifies application-layer transactions.
- transaction data 39 indicate when a series of related application-layer communications between two peer devices start and end. Additionally the protocol decoders decompose a transaction into application layer elements on which attack signatures are matched and protocol anomalies are detected.
- one or more of protocol decoders 36 may be generic protocol decoders, such that the generic protocol decoders attempt to identify the application corresponding to the payload of an application-layer communication 33.
- An example of a generic protocol decoder is an algorithm that matches a predefined set of application fingerprints/signatures to the data being decoded and identifies the application based on a particular fingerprint match. For example, a generic protocol decoder may attempt to identify the application corresponding to the payload of an HTTP communication.
- protocol decoders 36 correspond to a different communication protocol or service.
- Examples of communication protocols that may be supported by protocol decoders 36 include the HyperText Transfer Protocol (HTTP), the File Transfer Protocol (FTP), the Network News Transfer Protocol (NNTP), the Simple Mail Transfer Protocol (SMTP), Telnet, Domain Name System (DNS), Gopher, Finger, the Post Office Protocol (POP), the Secure Socket Layer (SSL) protocol, the Lightweight Directory Access Protocol (LDAP), Secure Shell (SSH), Server Message Block (SMB) and other protocols.
- HTTP HyperText Transfer Protocol
- FTP File Transfer Protocol
- NTP Network News Transfer Protocol
- SMTP Simple Mail Transfer Protocol
- Telnet Telnet
- DNS Domain Name System
- POP Post Office Protocol
- SSL Secure Socket Layer
- SSL Lightweight Directory Access Protocol
- SSH Secure Shell
- SMB Server Message Block
- each of protocol decoders 36 receives data via a universal software interface, i.e., a software interface that processes application data in a manner
- protocol decoders 36 After application of protocol decoders 36 to a given packet flow or individual packet, the protocol decoders return transaction data 39, application-layer elements 35, and protocol anomaly data 37 to stateful inspection engine 28. Stateful inspection engine 28 applies attack definitions 44 to protocol-specific application-layer elements 35 and anomaly data 37 to detect and prevent network attacks and other security risks.
- stateful inspection engine 28 In the event a security risk is detected, stateful inspection engine 28 outputs alert 41 to security management module 45 for logging and further analysis. In addition, stateful inspection engine 28 may take additional actions according to a policy definition, such as dropping the packets associated with the communication session, automatically closing the communication session or other action. If no security risk is detected for a given communication session, forwarding component 31 continues to forward the packet flows between the peers. Forwarding component 31 may, for example, maintain a routing table that stores routes in accordance with a topology of the enterprise network for use in forwarding the packet flows.
- forwarding component 31 may forward a reassembled packet comprising only those sub-packets that do not correspond to malicious network sessions.
- Stateful inspection engine 28 of primary IDP device 16 inspects packets received for each packet flow. For example, stateful inspection engine 28 may execute one or more DFAs for each application-layer transaction within a packet flow to determine whether the transaction corresponds to a network attack. In general, definitions of the DFAs are stored in attack definitions 44. Attack definitions 44 define one or more attacks, e.g., in the form of attack signatures, which correspond to regular expressions. By executing a DFA for a transaction of the packet flow, stateful inspection engine 28 determines whether the transaction represents an attack.
- a DFA comprises a plurality of states, an input alphabet, and a plurality of transitions defined from a first state to a second state based on a particular input character.
- Some examples of stateful inspection engine 28 utilize a nondeterministic finite automata (NFA), which enables lambda transitions between states, that is, enabling a transition between a first state and a second state without an input character.
- NFA nondeterministic finite automata
- a DFA or NFA "accepts" an input sequence when, starting from an initial start state, the DFA processes a sequence of tokens that cause the DFA to transition to and end in one of one or more accept states.
- particular accept states of the DFA are defined as attack states, and when the DFA accepts an input sequence in an attack state, stateful inspection engine 28 determines that the packet flow comprising the one or more packets is malicious, while other accept states are defined as non-malicious accept states.
- stateful inspection engine 28 determines that one or more packets of a packet flow represent a network attack according to attack definitions 44, stateful inspection engine 28 performs one or more programmed responses.
- the programmed response may comprise, for example, dropping the attack packets, rate-limiting the packet flow, closing a network session associated with the packet flow, sending a close session message to either the client or the server (or both) of the network session, blocking future network connection requests by either the client or the server (permanently or for a defined period of time), or advertising the IP address of either or both of the client or server to other network devices to cause those network devices to block network sessions of the client or server and/or to close current network sessions of the client or server.
- attack detection module 32 determines that a packet of a packet flow does not represent a network attack, attack detection module 32 passes the packet to the forwarding component 31, and the packet is forwarded toward the destination of the packet flow.
- the programmed response corresponds to a packet flow event, namely a "block" event. Accordingly, flow management module 34 generates a state update message indicating the corresponding packet flow, that a block event has occurred, and the programmed response that was taken. In this manner, following switchover or failover, backup IDP device 20 is able to continue enforcing the programmed response for the packet flow.
- FIG. 3 is a block diagram illustrating an example of stateful inspection engine 28 of primary IDP device 16 in further detail.
- stateful inspection engine 28 includes reassembly module 50, application identification module 51, attack detection module 52, patterns table 54, data buffer 55, anomalies table 56, and attack definitions 44.
- Reassembly module 50 receives inbound network traffic 25 and reassembles application-layer communications 33 from the packet flows by removing any underlying transport information (e.g., layer four (L4) information and below). Reassembly module 50 forwards the reassembled application-layer communications 33 to application identification module 51, which determines an application for the network session and then sends the reassembled data to the appropriate protocol decoders 36 for processing.
- transport information e.g., layer four (L4) information and below
- Stateful inspection engine 28 stores attack definitions 44 received from security management module 45.
- Attack definitions 44 may be stored, for example, in a computer-readable medium, such as random access memory (RAM).
- RAM random access memory
- Each of attack definitions 44 specifies a combination of one or more patterns specified within patterns table 54 and one or more protocol-specific anomalies specified within anomalies table 56.
- reassembly module 50 buffers the packet in data buffer 55.
- data buffer 55 stores data as a sliding window. That is, data buffer 55 stores data until becoming full or reaching a specified required amount of minimum data for identification. When full, data buffer 55 discards certain data to make room for storing new data.
- data buffer 55 stores and discards data according to a first-in, first-out (FIFO) protocol wherein the first data to be stored is the first data to be discarded when data buffer 55 becomes full.
- FIFO first-in, first-out
- data buffer 55 discards data according to a least recently used protocol wherein, when data buffer 55 is full, the packet flow which has been least recently used will be discarded to make room for new data to be stored.
- reassembly module 50 associates packets in a packet flow of a network session according to the 5-tuple ⁇ source IP address, destination IP address, protocol, source port, destination port ⁇ . Other examples use other methods to associate packets with a particular packet flow or encapsulated packet flow.
- primary IDP device 16 comprises part of a network that utilizes virtual local area networks (VLANs). Accordingly, reassembly module 50 may associate packets in a packet flow according to a VLAN identifier, a source address, and a destination address.
- VLANs virtual local area networks
- Application identification module 51 attempts to identify an application associated with each of the intercepted communication sessions. In one embodiment, when stateful inspection engine 28 receives a packet as part of a packet flow, reassembly module 50 buffers the packet in data buffer 55. Reassembly module 50 attempts to reconstruct application layer data from the packets in data buffer 55. Application identification module 51 then attempts to identify the application associated with the packets in accordance with this reconstructed data. In other embodiments, application identification module 51 may use other techniques to attempt to identify the application associated with the communication session.
- Application identification module 51 sends data from the packets to protocol decoders 36. When application identification module 51 is able to determine the application associated with the communication session, application identification module 51 sends data from the communication session to a corresponding one of protocol decoders 36. When application identification module 51 is not able to identify an application corresponding to the communication session, application identification module 51 sends the data from the communication session to a default protocol decoder of protocol decoders 36.
- Protocol decoders 36 include decoders for various application-layer protocols that are used to extract transaction data 39, application-layer elements 35, and protocol anomaly data 37. In some examples, protocol decoders 36 use delimiters or a defined length of transactions to determine sections of the reassembled application-layer data that correspond to individual transactions. Moreover, when protocol decoders 36 detect the start of a new transaction for length-encoded protocols that define lengths of transactions, protocol decoders 36 signal flow management module 34 that a new transaction has been detected and a packet in which the beginning of the new transaction was detected. Accordingly, flow management module 34 calculates a sequence number corresponding to a packet that includes data for the start of a next new transaction and sends the calculated sequence number to backup IDP device 20 in a state update message.
- Attack detection module 52 applies attack definitions 44 to application-layer elements 35 and protocol anomaly data 37 received from protocol decoders 36 that comprise individual application-layer transactions.
- the application-layer elements 35 may comprise application-layer elements of non-encapsulated packet flows or encapsulated packet flows (e.g., a communication session where a layer seven application-layer protocol is used to encapsulate another application-layer protocol). That is, attack detection module 52 may detect network attacks in either normal, non-encapsulated network traffic or in encapsulated packet flows.
- For each of compound attack definitions 44 attack detection module 52 selects the one or more patterns within patterns table 52 specified by the compound attack definition and determines whether any of application-layer elements 35 match the defined patterns.
- Each of the patterns may be defined as a respective "regular expression,” which generally refers to a formula that is used to match patterns within data.
- attack detection module 52 may determine whether any protocol anomalies detected by protocol decoders 36 match the protocol anomalies specified by attack definitions 44. Attack detection module 52 determines that the corresponding packet flow matches one of attack definitions 44 when both the patterns and protocol anomalies specified by the attack definition are detected within a given communication session. Further, each of attack definitions 44 may specify whether the pattern matching and protocol anomalies are applied on a per-transaction basis or over the lifetime of the communication session.
- stateful inspection engine 28 In the event a security risk is detected, stateful inspection engine 28 outputs alert 41 to security management module 45 ( FIG. 2 ) for logging and further analysis. Stateful inspection engine 28 may also direct forwarding component 31 to execute a programmed response to the security risk. The programmed response may include automatically dropping packets of the packet flow associated with the application-layer communications within which the network attack was detected. Stateful inspection engine 28 may also cause forwarding component 31 to send a close session message to one or more participants in the malicious network session as the programmed response.
- FIG. 4 is a block diagram illustrating example sub-components of flow management module 34 and an example flow table entry 60A of flow table 40.
- flow management module 34 comprises packet parser 61.
- packet parser 61 parses the packet to determine whether the packet belongs to an existing packet flow or whether the packet represents a new packet flow.
- Packet parser 61 determines that SYN packets and SYN-ACK packets represent new packet flows. That is, packet parser 61 checks a SYN flag of a TCP header of a packet to determine whether the packet represents a new packet flow.
- packet parser 61 determines that a packet having a 5-tuple ⁇ source IP address, destination IP address, source port, destination port, protocol ⁇ that does not match any entries of flow table 40 also represents a new (that is, unrecognized) packet flow.
- flow table 40 includes a plurality of flow table entries 60, although only one entry (flow table entry 60A) is shown in FIG. 4 for purposes of explanation.
- Flow table entry 60A includes data representative of a respective packet flow.
- flow table entry 60A includes values source IP address 62A, destination IP address 64A, source port 66A, destination port 68A, protocol 70A, identified application 72A, DFA state 74A, end-of-transaction identifier 76A, and application-layer IDP state 78A.
- Packet parser 61 extracts the source IP address, destination IP address, source port, destination port, and protocol values from initial packets of a new network session, e.g., the SYN, SYN-ACK, and ACK packets forming the three-way handshake to initiate a new TCP session.
- flow management module 34 After creating a new entry in flow table 40 representing a new packet flow and setting application-layer IDP state 78 of the new entry to "created," flow management module 34 sends one or more messages to backup IDP device 20 to indicate that a new packet flow has been identified. The messages also include the data used to create the new flow table entry. Accordingly, backup IDP device 20 creates an entry in a flow table local to backup IDP device 20 representative of the new packet flow.
- the values source IP address 62A, destination IP address 64A, source port 66A, destination port 68A, and protocol 70A identify the packet flow to which flow table entry 60A corresponds. Accordingly, when flow management module 34 receives a packet, packet parser 61 extracts the source IP address, destination IP address, source port, destination port, and protocol of the packet to determine to which entry of flow table 40 the packet corresponds. Upon identifying an existing entry in flow table 40 for the packet, stateful inspection engine 38 extracts DFA state 74 from the corresponding entry 60 of flow table 40, executes the DFA using application-layer data of the packet (extracted from the packet by protocol decoders 36), and updates the value of DFA state 74 accordingly.
- Protocol decoders 36 inspect each received packets to determine whether the packet represents part of a particular transaction, e.g., a current transaction or a new transaction, or a delimiter between transactions. In examples for which delimiters indicate a separation between transactions, protocol decoders 36 determines that a packet following a delimiter corresponds to a packet of a new transaction. Likewise, protocol decoders 36 determine that a packet preceded by a delimiter corresponds to a last packet of a transaction.
- protocol decoders 36 determine that a packet having a sequence number that is one transaction-length greater than the sequence number of the beginning of a previous transaction corresponds to a new transaction. In some examples, protocol decoders 36 further determine whether an application layer element at the start of the new transaction is valid for the application protocol for the network session. For example, for HTTP, in addition to looking for new line/carriage return characters, protocol decoders 36 may also ensure that the start of the new transaction is a GET, POST, HEAD, or other HTTP transaction to confirm that the delimiter indeed was intended to separate transactions, and was not part of the content of the previous transaction.
- flow management module 34 Upon detecting a new transaction, in examples that use defined lengths of transactions, flow management module 34 calculates the sequence number of the next transaction, generates a state update message that includes the sequence number of the next transaction, and sends the state update message to backup IDP device 20.
- a DFA comprises a plurality of states and transitions between the states based on input characters.
- Stateful inspection engine 28 ( FIG. 2 ) records a current DFA state for a current transaction in DFA state 74A. Accordingly, when a subsequent packet of the current transaction is received and processed, stateful inspection engine 28 processes the data of the packet and updates the value of DFA state 74A accordingly. In some examples, stateful inspection engine 28 recognizes a plurality of different DFAs. In such examples, stateful inspection engine 28 also records an identifier of a DFA to which the current transaction corresponds in DFA state 74A, e.g., as a tuple represented by ⁇ DFA_identifier, DFA_state ⁇ .
- protocol decoders 36 When a received packet is part of an existing (that is, recognized) packet flow, protocol decoders 36 extract one or more characters from the application-layer payload of the packet and passes the characters to stateful inspection engine 28 ( FIG. 2 ). Stateful inspection engine 28 retrieves the current DFA and current DFA state from DFA state 74. Stateful inspection engine 28 then processes the input characters received from protocol decoder 36 to determine a resulting state in the corresponding DFA and records the DFA state in DFA state 74.
- stateful inspection engine 28 determines whether the last DFA state is an "accept" state (e.g., to determine whether the transaction represents an attack, an error, or an acceptable input sequence) and updates DFA state 74 to reflect a DFA start state.
- flow management module 34 sets the value of application-layer IDP state 78 of the corresponding entry 60 of flow table 40 to "blocked," and, in some examples, also records one or more programmed responses that were taken with respect to the packet flow, the source, and/or the destination of the packet flow in application-layer IDP state 78 of the corresponding flow table entry 60 of flow table 40. As discussed above, flow management module 34 also generates a state update message to indicate that the packet flow has been blocked, as well as one or more programmed responses that have been taken with respect to the packet flow, the source, and/or the destination.
- FIG. 5 is a flowchart illustrating an example method for creating a new flow table entry upon receiving a new packet flow.
- primary IDP device 16 receives packets indicative of a new packet flow (100).
- primary IDP device 16 determines that a packet flow is a new packet flow upon receiving a SYN packet of the packet flow from a client, e.g., one of source devices 12 ( FIG. 1 ), destined for a server, e.g., one of destination devices 24 ( FIG. 1 ).
- Primary IDP device 16 also receives a SYN-ACK packet from the server in response to the SYN packet, and an ACK packet from the client in response to the SYN-ACK packet.
- the SYN, SYN-ACK, and ACK packets are referred to as the three-way handshake packets. It should be noted that the SYN packet and the SYN-ACK packet belong to different packet flows, but to the same network session.
- Primary IDP device 16 associates the two packet flows with the same network session using source and destination IP addresses, source and destination port numbers, and a protocol of each packet flow
- packet parser 61 parses received packets to determine whether the SYN and/or ACK flags of these packets are set. Packet parser 61 determines that packets with the SYN and/or ACK flags set are three-way handshake packets of respective new packet flows of a new network session. Packet parser 61 parses three-way handshake packets to determine, for the packet flows associated with the three-way handshake packets, a source of the packet flow including a source IP address and a source port, a destination of the packet flow including a destination IP address and a destination port, and an identified protocol of the packet flow (102).
- flow management module 34 constructs a new entry 60 of flow table 40 to record the identified 5-tuple and sets the application-layer IDP state to "created" (104). Flow management module 34 also constructs a state update message that includes the 5-tuple and sends the state update message to backup IDP device 20 (106), which constructs a similar new entry in a local flow table of backup IDP device 20.
- primary IDP device 16 executes an application identification process to determine an application-layer protocol for the packet flow (108).
- determining the application-layer protocol further comprises performing application identification to identify an application corresponding to the packet flow, e.g., a web browser, an e-mail client, an FTP (file transfer protocol) client, a peer-to-peer file sharing client, or other network application.
- Primary IDP device 16 also determines how transactions are differentiated for the packet flow (110).
- the determined application-layer protocol itself defines how transactions are differentiated, e.g., whether the transactions are delimited using new line, line feed, and/or carriage return characters, or whether transactions are of a defined length, e.g., for binary protocols.
- the transaction differentiation type corresponds to at least one of a delimiter or a transaction length, and is determined as a factor of the application-layer protocol determined to correspond to the packet flow, as well as the identified application corresponding to the packet flow.
- flow management module 34 also determines what delimiters are used to demarcate transactions, e.g., new line characters, carriage return characters, or the like.
- flow management module 34 also determines the length of the transactions, e.g., as a number of bytes.
- each transaction is of the same length, while in other transactions, the length of each transaction is dynamic and signaled, e.g., with a transaction header.
- flow management module 34 updates the corresponding flow table entry 60 in flow table 40 for the packet flow to indicate the identified application-layer protocol and the transaction differentiation type (112).
- Flow management module 34 also creates a state update message for backup IDP device 20 including the identified application-layer protocol and the transaction differentiation type and sends the state update message to backup IDP device 20 via backup device network interface 42 across data link 18 (114). Protocol decoders 36 then begin inspection of application-layer data of packets of the new packet flow (116).
- FIG. 6 is a flowchart illustrating an example method for sending state updates from primary IDP device 16 to backup IDP device 20 for packet flows having length-encoded application-layer protocols.
- primary IDP device 16 receives a packet of an existing (recognized) packet flow (120).
- Flow management module 34 then inspects the packet to retrieve TCP information and updates the flow table entry corresponding to the packet flow in flow table 40 based on information retrieved from the packet (122). For example, packet parser 61 extracts the current sequence number and flow management module 34 updates the value of the end-of-transaction identifier value 76 in the corresponding flow table entry 60 of flow table 40 to reflect the current sequence number value.
- Protocol decoders 36 determine whether the packet represents that a current transaction has been completed (124). That is, protocol decoders 36 determine whether the packet corresponds to a first packet of a next transaction by determining whether the sequence number of the packet matches a previously determined sequence number that corresponds to the first packet of a next transaction.
- flow management module 34 determines that the transaction length value is available (e.g., can be determined or has been explicitly defined) ("YES" branch of 124)
- flow management module 34 constructs a state update message including a sequence number of a next transaction for the packet flow and sends the state update message to backup IDP device 20 via backup device network interface 42 across data link 18 (126).
- primary IDP device 16 calculates a sequence number corresponding to the next transaction for the packet flow based on the current sequence number and the length of the current transaction.
- the state update message includes an identification of the packet flow associated with the update (e.g., the 5-tuple ⁇ source IP address, destination IP address, source port, destination port, and protocol ⁇ of the packet flow) and the sequence number for the first packet of the next transaction.
- backup IDP device 20 After receiving the sequence number update from primary IDP device 16 (128), backup IDP device 20 updates the TCP information associated with the packet flow (130).
- backup IDP device 20 identifies an entry in a local flow table of backup IDP device 20 corresponding to the packet flow associated with the update message (e.g., using the 5-tuple ⁇ source IP address, destination IP address, source port, destination port, and protocol ⁇ ) and updates the information of the local flow table entry.
- backup IDP device 20 updates the sequence number for the next transaction in the local flow table.
- Primary IDP device 16 also inspects the packet to determine whether the packet represents a network attack (132). In some examples, the packet inspection occurs before checking whether the transaction has been completed.
- primary IDP device 16 awaits another packet and then repeats the steps described above. However, when a switchover or failover occurs, backup IDP device 20 becomes active as a primary IDP device. Backup IDP device 20 then awaits the start of a new transaction, scanning packets of the packet flow until a new transaction is identified (136). In particular, as the method of FIG. 6 corresponds to examples using defined length transactions, backup IDP device 20 determines whether the sequence number of a current packet is equal to the sequence number from the last state update message received from primary IDP device 16. When the sequence number of a received packet is equal to the last state update message, backup IDP device 20, acting as a primary IDP device, begins inspection of the packet flow (138).
- FIG. 7 is a flowchart illustrating an example method for backup IDP device 20 to begin stateful inspection of packet flows following switchover or failover from primary IDP device 16 when delimiters are used to differentiate transactions.
- backup IDP device 20 becomes active as a result of switchover (150).
- Backup IDP device 20 may determine that switchover or failover has occurred in a number of ways. In various examples, backup IDP device 20 becomes active following an instruction from primary IDP device 16 to become active or when backup IDP device 20 does not receive a keepalive message from primary IDP 16 within an expected amount of time.
- backup IDP device 20 begins receiving packets of packet flows previously inspected by primary IDP device 16 (152). For a received packet of the packet flow, backup IDP device 20 determines whether the packet includes a delimiter, e.g., a new line character or a carriage return character (154). When the packet does not include a delimiter ("NO" branch of 154), backup IDP device 20 forwards the packet (156) and receives a next packet of the packet flow (158). Backup IDP device 20 then again determines whether this next packet includes a delimiter (154).
- a delimiter e.g., a new line character or a carriage return character
- Backup IDP device 20 continues the loop represented by steps 154-158 until a packet is received that includes a delimiter ("YES" branch of 154).
- backup IDP device 20 further performs a check to confirm that the application layer element following the delimiter conforms to a new transaction, to confirm that the delimiter was not intended as part of the previous transaction but was indeed intended to indicate the end of the transaction and the start of a new transaction.
- backup IDP device 20 starts stateful inspection for the new transaction of the packet flow at a start state representative of a new transaction (160).
- backup IDP device 20 selects the DFA based on an identified application or application-layer protocol, as indicated by a state update message from primary IDP device 16, and anchors the DFA at the beginning of the new transaction. Backup IDP device 20 then begins application-layer inspection of packets of the packet flow (162).
- FIG. 8 is a flowchart illustrating another example method for backup IDP device 20 to begin stateful inspection of packet flows following switchover or failover from primary IDP device 16 when transactions have defined lengths in order to differentiate transactions.
- backup IDP device 20 becomes active as a result of switchover (180).
- Backup IDP device 20 may determine that switchover or failover has occurred in a number of ways, as described above.
- backup IDP device 20 After backup IDP device 20 becomes active, backup IDP device 20 begins receiving packets of packet flows previously inspected by primary IDP device 16 (182). It is assumed that backup device 20 has previously received a state update message from primary IDP device 16 that indicates the sequence number of the first packet of the next transaction of the packet flow. Accordingly, backup IDP device 20 checks the sequence number of each packet of the packet flow to determine whether the sequence number matches the received sequence number of the next transaction (184). If not ("NO" branch of 184), backup IDP device 20 forwards the packet (186) and awaits receipt of the next packet of the packet flow (188).
- Backup IDP device 20 continues the loop represented by steps 184-188 until a packet is received that has a sequence number equal to the sequence number of the first packet of the next transaction ("YES" branch of 186). Upon receiving such a packet, backup IDP device 20 starts stateful inspection for the new transaction of the packet flow at a start state representative of a new transaction (190). In particular, backup IDP device 20 selects the DFA based on an identified application or application-layer protocol, as indicated by a state update message from primary IDP device 16, and anchors the DFA at the beginning of the new transaction. Backup IDP device 20 then begins stateful inspection of packets of the packet flow (192).
- intrusion detection and prevention devices can be implemented in any pair of stateful primary and backup devices in a high availability cluster, that is, any two network devices configured in cluster mode that are aware of session state.
- stateful security devices e.g., firewalls, intrusion detection systems, intrusion prevention systems, data loss prevention (DLP) systems, web security gateways and extensible devices (such as routers and gateways) including a security card that performs stateful packet inspection
- non-security devices in a high availability environment may also be configured perform the techniques of this disclosure.
- URL filtering devices configured in a cluster mode for providing high availability may be configured to implement the techniques of this disclosure.
- Other examples of non security devices include Traffic Monitoring systems, application performance management systems and lawful intercept systems.
- Examples of devices as “primary” and “backup” should be understood as indications of whether a particular device is actively or passively monitoring traffic of a particular packet flow.
- a device designated as “primary” or “backup” is not necessarily an indication that the device is “primary” or “backup” for all packet flows.
- active/passive arrangements, one device is active, or primary, with respect to all packet flows, while another device is passive, or backup, and upon failover, the passive device becomes active.
- a first device is active with respect to a first plurality of packet flows
- a second device is active with respect to a second plurality of packet flows
- the first device is passive with respect to the second plurality of packet flows
- the second device is passive with respect to the first plurality of packet flows.
- the first device and the second device are each active with respect to at least one packet flow and passive with respect to at least one packet flow, and the first and second devices provide backup for each other.
- the techniques of this disclosure are generally applicable to both active/passive arrangements and active/active arrangements.
- processors including one or more microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, as well as any combinations of such components.
- DSPs digital signal processors
- ASICs application specific integrated circuits
- FPGAs field programmable gate arrays
- processors may generally refer to any of the foregoing logic circuitry, alone or in combination with other logic circuitry, or any other equivalent circuitry.
- a control unit comprising hardware may also perform one or more of the techniques of this disclosure.
- Such hardware, software, and firmware may be implemented within the same device or within separate devices to support the various operations and functions described in this disclosure.
- any of the described units, modules or components may be implemented together or separately as discrete but interoperable logic devices. Depiction of different features as modules or units is intended to highlight different functional aspects and does not necessarily imply that such modules or units must be realized by separate hardware or software components. Rather, functionality associated with one or more modules or units may be performed by separate hardware or software components, or integrated within common or separate hardware or software components.
- Computer readable storage media may include random access memory (RAM), read only memory (ROM), programmable read only memory (PROM), erasable programmable read only memory (EPROM), electronically erasable programmable read only memory (EEPROM), flash memory, a hard disk, a CD-ROM, a floppy disk, a cassette, magnetic media, optical media, or other computer-readable storage media.
- RAM random access memory
- ROM read only memory
- PROM programmable read only memory
- EPROM erasable programmable read only memory
- EEPROM electronically erasable programmable read only memory
- flash memory a hard disk, a CD-ROM, a floppy disk, a cassette, magnetic media, optical media, or other computer-readable storage media.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Communication Control (AREA)
Description
- This disclosure relates to computer networks and, more particularly, to security devices used within computer networks.
- The goal of high availability computer network environments is to provide users and other entities with "always on" service. That is, high availability computer network environments should provide reliable, continuous operation service. To accomplish this, network devices in a high availability environment perform error detection and implement recoverability for detected errors. Unfortunately, network devices occasionally fail. For example, a software or hardware problem or a power fault within a security device may cause all or a portion of the security device to stop functioning.
- When a network device fails, all network traffic flowing through the failed network device may cease. For an enterprise that depends on such network traffic, this may be unacceptable, even if this failure occurs only for a short time. To minimize the possibility of a failure causing all network traffic to cease, redundant hardware such as a backup controller or a separate backup network device may be installed. Thus, if the network device that has primary responsibility for performing the security services (i.e., the master device) fails, the backup device may be quickly substituted for the master device. In other words, the failing network device "fails over" to the backup device. A master device may also "switch over" to the backup device to go offline temporarily, e.g., to install software and/or firmware updates or to undergo other routine maintenance procedures. In general, failover is considered a form of switchover. After failing over or switching over to the backup device, the backup device becomes the master device. High availability clusters often include such primary and backup network devices.
- An intrusion detection and prevention (IDP) device inspects application layer (that is, OSI Layer Seven) data to attempt to detect malicious traffic. In general, IDP devices execute one or more complex finite automata or algorithms, using the application layer data as input, to detect patterns and event sequences that are indicative of malicious traffic. This complex detection process often requires generation and maintenance of substantial state information that describes the current traffic patterns and events of the current application-layer session. The substantial state information often prohibits the effective use of high availability with respect to IDP devices.
-
US 2006/062142 A1 relates to cooperative TCP / BGP window management for stateful switchover. -
US 2008/163248 A1 relates to a system and a method for comoleteness of TCP data in TCP HA. - The invention is set out in the appended set of claims.
-
-
FIG. 1 is a block diagram illustrating an example system in which a primary intrusion detection and prevention (IDP) device synchronizes application-layer IDP state with a backup IDP device for packet flows between source devices and destination devices. -
FIG. 2 is a block diagram illustrating an example arrangement of components of a primary IDP device. -
FIG. 3 is a block diagram illustrating an example of a stateful inspection engine of a primary IDP device. -
FIG. 4 is a block diagram illustrating example sub-components of a flow management module of a primary IDP device and an example flow table entry in a flow table of the primary IDP device. -
FIG. 5 is a flowchart illustrating an example method for creating a new flow table entry upon receiving a new packet flow and for updating a backup IDP device with information for the new packet flow. -
FIG. 6 is a flowchart illustrating an example method for sending sequence number updates from a primary IDP device to a backup IDP device, for examples corresponding to length-encoded application-layer protocols having transactions of defined lengths. -
FIG. 7 is a flowchart illustrating an example method for a backup IDP device to become active following failover of an active IDP device when transactions are differentiated by delimiter values. -
FIG. 8 is a flowchart illustrating an example method for a backup IDP device to become active following failover of an active IDP device when transactions have defined transaction lengths. -
FIG. 1 is a block diagram illustrating an example in which primary intrusion detection and prevention (IDP)device 16 andbackup IDP device 20 provide effective high-availability IDP services withincomputing environment 10. As described herein,primary IDP device 16 and backupIDP device 20 synchronize application-layer IDP state for intercepted network sessions that flow betweensource devices 12 anddestination devices 24. In general,primary IDP device 16 performs stateful inspection of application-layer data for packet flows betweensource devices 12 anddestination devices 24. Each ofsource devices 12 may establish an application-layer communication session with one or more ofdestination devices 24, where each communication session typically comprises a pair of packet flows between the source devices and the destination devices. - The term "packet flow" refers to a set of packets originating from a particular one of
source devices 12 and sent to a particular one ofdestination devices 24 as part of an application-layer network session between the one ofsource devices 12 and the one ofdestination devices 24, where each flow is typically identified by a five-tuple of source IP address, destination IP address, source port, destination port, a transport-layer protocol (e.g., TCP, UDP or the like). Similarly, a set of packets originating from a particular one ofdestination devices 24 and sent to a particular one ofsource devices 12 as part of a corresponding network session also forms a packet flow.Source devices 12 are also referred to as "clients" anddestination devices 24 are also referred to as "servers," in some contexts. In general, a network session comprises two packet flows between two devices, each of the packet flows being in opposite directions. - In the example of
FIG. 1 ,source devices 12 are coupled toprimary IDP device 16 andbackup IDP device 20 vianetwork 14, andprimary IDP device 16 andbackup IDP device 20 are coupled todestination devices 24 vianetwork 22. In other examples, any or all ofsource devices 12 may be coupled toprimary IDP device 16 and backupIDP device 20 directly or through other networks similar tonetwork 14. In general,network 14 andnetwork 22 typically include one or more network devices, such as, for example, routers, switches, bridges, gateways, hubs, or security devices.Primary IDP device 16 andbackup IDP device 20 are also coupled viadata link 18. In the example ofFIG. 1 ,primary IDP device 16 andbackup IDP device 20 are directly coupled viadata link 18. In other examples, however,primary IDP device 16 andbackup IDP device 20 are coupled via intermediate network devices. - For purposes of explanation, it is assumed that
network 14 includes a router or switch that directs traffic toprimary IDP device 16 and/orbackup IDP device 20. In one example, a switch at the edge ofnetwork 14 directs packet flows toprimary IDP device 16 whileprimary IDP device 16 remains active. Whenprimary IDP device 16 switches over or fails over to backupIDP device 20, the switch updates forwarding information such that network traffic is directed to backupIDP device 20, instead ofprimary IDP device 16.Primary IDP device 16 may restart, recover from an error, be replaced, or otherwise become active again, in which caseprimary IDP device 16 becomes active and primary, after which backupIDP device 20 reverts to acting as a backup, rather than as the primary. Accordingly, afterprimary IDP device 16 becomes active again, the switch again updates the forwarding information such that network traffic is directed toprimary IDP device 16, rather than backupIDP device 20. -
Primary IDP device 16 and backupIDP device 20 form a high availability cluster. Accordingly,primary IDP device 16 andbackup IDP device 20 are configured in "cluster mode." In general, traffic that passes through a high-availability cluster establishes an active session on a primary node, e.g.,primary IDP device 16, and the primary node establishes a backup session on a backup node, e.g., backupIDP device 20, and synchronizes the active session to the backup node. The term "high availability" generally refers to network devices or services that are "always on," that is, that are reliable, provide error detection and recoverability, and provide continuous operation. In the example ofFIG. 1 , backupIDP device 20 performs as a primary IDP device whenprimary IDP device 16 encounters an error or otherwise goes offline. That is,primary IDP device 16 fails over or switches over to backupIDP device 20, in the event of an error or an event that causesprimary IDP device 16 to go offline. For example,primary IDP device 16 may switchover to backupIDP device 20 to perform a software update that requires a restart ofprimary IDP device 16. - In some examples,
primary IDP device 16 sends application-layer IDP state data for packet flows (e.g., synchronization messages) and control messages (e.g., heartbeat or keepalive messages) to backupIDP device 20 via different links betweenprimary IDP device 16 andbackup IDP device 20. These links may comprise separate physical links or separate logical links over the same physical medium. In some examples,backup IDP device 20 determines thatprimary IDP device 16 is still active by receiving periodic keepalive messages. Accordingly, when backupIDP device 20 does not receive a keepalive message fromprimary IDP device 16 after a period of time,backup IDP device 20 determines thatprimary IDP device 16 is no longer active, and so backupIDP device 20 becomes active, treating the failure ofprimary IDP device 16 to send an expected keepalive message as a failover event. - As stated above,
primary IDP device 16 andbackup IDP device 20 perform stateful inspection of application-layer data of packet flows betweensource devices 12 anddestination devices 24. That is,primary IDP device 16 executes application-layer protocol decoders that process application-layer communications and output transaction data that identifies application-layer transactions. In particular, the transaction data indicates when a series of related application-layer communications between two peer devices start and end.Primary IDP device 16 then applies intrusion detection algorithms such as signature matching using deterministic finite automaton (DFA) or other algorithms to each transaction to detect acceptable and unacceptable application layer data. In some examples,primary IDP device 16 andbackup IDP device 20 comprise particular DFAs for each type of application-layer protocol that can be inspected by IDP devices. - In some examples, the DFA begins in a start state for application layer components of transactions of an application of a packet flow, such that upon reaching the end of a component, the IDP device determines whether the end state of the DFA corresponds to an accept state, a non-threat state, an attack state, or other state that indicates whether the transaction indicates that the packet flow is malicious. The DFAs may be referred to herein as "application layer component-based DFAs" in that, when applied, each DFA may begin at a start state upon detecting a beginning of an application-layer component of a transaction and be configured to resolve to either an acceptable state or unacceptable state before or upon reaching the completion of that same application-layer component of the transaction within the application-layer data being processed.
- In other words, at least some of the detection algorithms applied by the DFAs may be configured to be compartmentalized on a per-transaction basis so as not to cross application-layer transaction boundaries. This may assist with the anchoring and processing of existing packet flows upon failover to
backup IDP device 20. The use of DFAs to detect network attacks is discussed in greater detail inU.S. Application No. 12/568,319, "NETWORK TRAFFIC PATTERN MATCHING USING ADAPTIVE DETERMINISTIC FINITE AUTOMATA," Ma et al., filed September 28, 2009 U.S. Application No. 11/738,059, "NETWORK ATTACK DETECTION USING PARTIAL DETERMINISTIC FINITE AUTOMATON PATTERN MATCHING," Ma et al., filed April 20, 2007 -
Primary IDP device 16 is configured to detect new communication sessions betweensource devices 12 anddestination devices 24 and, for each communication session, determine an application-layer protocol for the session inspecting the intial packets of the packet flow, e.g., using protocol decoders and/or application identification techniques. Example application identification techniques are discussed inU.S. Patent Application No. 12/432,325, Bums et al., "DETECTING MALICIOUS NETWORK SOFTWARE AGENTS," filed April 29, 2009 U.S. Patent Application No. 11/937,163, Yang et al., "Multi-layered Application Classification and Decoding," filed Nov. 8, 2007 U.S. Patent Application No. 11/835,923, Burns et al., "Identifying Applications for Intrusion Detection Systems," filed Aug. 8, 2007 - In general,
primary IDP device 16 sends relatively few application-layer IDP state update messages tobackup IDP device 20 yet provide high-availability IDP services to existing communication sessions, i.e., communication sessions established prior to failover, as well as new sessions. In one example,primary IDP device 16 sends application-layer IDP state update messages tobackup IDP device 20 for session events, such as creation of a new network session (e.g., whenprimary IDP device 16 identifies a previously unmonitored packet flow), deletion of an existing network session (e.g., upon detecting a close session message), and blocking of an existing network session (e.g., whenprimary IDP device 16 determines that a network session or packet flow thereof is malicious). In some examples, e.g., where an identified application-layer protocol is length-encoded and has transactions that are of a defined length,primary IDP device 16 sends state updates tobackup IDP device 20 for each transaction, to informbackup IDP device 20 of a marker, e.g., a TCP sequence number, that signals when a next application-layer transaction will begin in the packet flow. For example, a layer four TCP sequence number can be calculated by adding the length of the current transaction to the sequence number of the beginning of the current transaction, plus the lengths of other packet headers as necessary. - Upon identifying an application-layer protocol used for a communication session,
primary IDP device 16 sends an application-layer IDP state update message tobackup IDP device 20 to record the new session.Primary IDP device 16 treats the act of identifying an application-layer protocol that is in use for a packet flow as an initial session event for the IDP services. At this time,primary IDP device 16 sends a state update message tobackup IDP device 20 that identifies the packet flow and includes an identification of the application-layer protocol associated with the packet flow. In some examples, following failover or switchover,backup IDP device 20 uses the identity of the application-layer protocol specified byprimary IDP device 16 to anchor the correct protocol decoder to the packet flow to detect the start of a new application-layer transaction and trigger commencement of renewed application-layer IDP services for the packet flow. For example, assuming thatprimary IDP device 16 determines that the application-layer protocol for the packet flow comprises HTTP,backup IDP device 20 may look for the beginning of a new HTTP request, e.g., a GET, HEAD, or POST request. Following failover, and upon detecting the end of a current transaction and the start of a new transaction,backup IDP device 20 begins inspecting application-layer data associated with a subsequent application-layer transaction. Althoughbackup ID device 20 may perform some processing (e.g., stateless processing) of the application-layer data of packets that precede the beginning of the new transaction,backup IDP device 20 begins stateful processing only for transactions including and following the new transaction. - The techniques of this disclosure may prevent a restart of network sessions associated with packet flows being inspected by
primary IDP device 16 upon a switchover or failover tobackup IDP device 20, thereby allowing the IDP devices to achieve improved high-availability IDP services. Further, the high-availability IDP services may be achieved without requiring thatprimary IDP device 16 replicate each received packet of each packet flow tobackup IDP device 20, which would consume far too many network and computational resources in high-volume networks. In one example,primary IDP device 16 informsbackup IDP device 20 of identified application-layer protocols for newly detected communication sessions, andbackup IDP device 20 begin inspecting packet flows following switchover or failover ofprimary IDP device 16 by anchoring an appropriate protocol decoder to an existing packet flow and synchronizing attack detection to the start of a new, subsequent transaction. In some examples, these techniques also includeprimary IDP device 16, upon detecting a new application-layer transaction, informingbackup IDP device 20 of a TCP sequence number or other marker that may be used as an aid by the backup IDP device to predict the start of the next transaction. -
Primary IDP device 16 sends application-layer IDP state update messages tobackup IDP device 20 viadata link 18 for a particular packet flow whenprimary IDP device 16 detects the end of a current transaction. The end of a transaction is signaled in different ways, in various examples. Primarily, the end of a transaction is signaled either by the presence of a delimiter value, such as a new line character, a line feed character, a carriage return character, or some combination thereof, or by having transactions of a particular length. Examples of new line and line feed characters include '\n' and '0x0A'. Examples of carriage return characters include '\r' and '0x0D'. Other characters can also be used as delimiters to designate the end of a transaction. In general, delimiters that designate the end of a transaction are defined according to an application and/or application-layer protocol. Accordingly,primary IDP device 16 andbackup IDP device 20 are configured to recognize delimiters corresponding to application-layer protocols and applications that are recognized byprimary IDP device 16 andbackup IDP device 20. - When the end of a transaction is signaled by a delimiter value,
primary IDP device 16 does not need to send messages tobackup IDP device 20 for each transaction. Instead,primary IDP device 16 can simply send application-layer IDP state messages for each network session event, such as a create, delete, block, or application identification event. When transactions are of a defined length, however,primary IDP device 16 informsbackup IDP device 20 of TCP sequence numbers that indicate the start of a next transaction. In particular,primary IDP device 16 calculates the TCP sequence number corresponding to the next transaction as the sum of the TCP sequence number of the first packet of a current transaction, the length of the transaction, and any additional length added by packet headers not represented by the application layer payload of packets of the transaction. - When
primary IDP device 16 determines the length of a transaction,primary IDP device 16 constructs an application-layer IDP state synchronization message including a sequence number corresponding to the start of a next transaction and forwards the state synchronization message tobackup IDP device 20.Backup IDP device 20, in turn, updates state information for the packet flow in response to the state synchronization message. - Although described primarily with respect to stateful IDP devices for the purposes of explanation, the techniques of this disclosure can be applied to any pair of primary/backup network elements in which sequence number awareness is needed. For example, other security devices, such as intrusion detection or intrusion prevention devices, Data Loss Prevention devices, and Web Security gateways, may perform the techniques of this disclosure. As another example, devices configured to perform uniform resource locator (URL) filtering can also be configured to perform the techniques of this disclosure. In general, any pair of devices in a high availability configuration that utilize protocol decoders can be configured to perform the techniques of this disclosure.
- Rather than inspecting only new packet flows of new sessions following a switchover or failover, the techniques of this disclosure provide
backup IDP device 20 with the ability to perform stateful inspection of packets of an existing packet flow following a switchover or failover. In particular,backup IDP device 20 uses the application-layer IDP state update messages received fromprimary IDP device 16 prior to a switchover or failover to determine when a new transaction of the packet flow begins, andbackup IDP device 20 begins inspecting the packet flow at the new transaction and each subsequent transaction of the packet flow. - Following switchover or failover,
backup IDP device 20 enters an "anchor mode" in whichbackup IDP device 20 searches for the beginning of a next transaction of a packet flow.Backup IDP device 20 inspects packets of the packet flow to detect either a delimiter representative of a new transaction, or a packet having a TCP sequence number that is equal to a TCP sequence number received fromprimary IDP device 16 indicative of a new transaction. In either case,backup IDP device 20 attempts to detect a packet representative of a last packet of a current transaction and/or a first packet of a new transaction to anchor a protocol decoder for the packet flow and begin inspecting the packet flow to determine whether the packet flow represents a network attack. - In general, a packet flow comprises a plurality of packets. Each of the plurality of packets may correspond to a particular transaction of the packet flow. In some examples, one or more of the plurality of packets may correspond to a delimiter that is used to differentiate between two transactions. That is, each transaction of a packet flow may be followed by a delimiter to indicate a distinction between the transaction and a following transaction. In such examples, determining that at least one of a plurality of packets corresponds to a first packet of a new transaction includes determining that the packet immediately following a delimiter corresponds to the first packet of the transaction.
- Alternatively, transactions may be defined to comprise a fixed number of bytes, described as a length of a transaction. In some examples, each transaction of a packet flow has the same length, whereas in other examples, each transaction includes a length value in a transaction header that describes the length of the transaction, e.g., a number of bytes for the transaction. In either case, determining that at least one of a plurality of packets corresponds to the first packet of a transaction includes determining that the packet has a TCP sequence number that is equal to a largest TCP sequence number received from
primary IDP device 16 that indicates the start of a new transaction. Alternatively, in some examples,primary IDP device 16 sends a message that includes the TCP sequence number of the first packet of a new transaction, as well as a length of the transaction, and allowsbackup IDP device 20 to calculate the sequence number of the first packet of a next transaction. Packet synchronization numbers correspond to particular bytes of the packet flow, and therefore, the difference between the synchronization number of a first packet of a transaction and the synchronization of a last packet of the transaction corresponds to the length of the transaction. In this manner, the first packet of a next transaction can be identified by calculating the difference between the sequence number of a received packet and the sequence number of the first packet of a transaction and, when the difference is equal to the transaction length, determining that the received packet is the first packet of the next transaction. - The techniques of this disclosure are described with respect to a single packet flow, for purposes of explanation. However, it should be understood that, in general,
primary IDP device 16 inspects packets of a plurality of packet flows. Therefore, the techniques described in this disclosure may be applied to any number of packet flows. -
System 10 ofFIG. 1 may provide several advantages. For example, configuration ofprimary IDP device 16 andbackup IDP device 20 provide a lightweight mechanism for synchronizing session state and for continuing IDP inspection for network sessions following failover or switchover fromprimary IDP device 16 andbackup IDP device 20 in the example high-availability environment ofsystem 10. The techniques implemented byprimary IDP device 16 andbackup IDP device 20 scale well to systems that inspect various numbers of packet flows, as the communication required betweenprimary IDP device 16 andbackup IDP device 20 is minimal to maintain session synchronization. Because state synchronization occurs betweenprimary IDP device 16 andbackup IDP device 20,backup IDP device 20 is able to perform stateful packet inspection following switchover or failover fromprimary IDP device 16. In this manner,backup IDP device 20 is able to inspect packets of a new transaction as well as subsequent packets of the packet flows previously inspected byprimary IDP device 16 following switchover or failover. -
FIG. 2 is a block diagram illustrating an example arrangement of components of primary IDP device 16 (FIG. 1 ).Backup IDP device 20 may include components similar to those described with respect toFIG. 2 . In the example ofFIG. 2 ,primary IDP device 16 comprisesinput network interface 30,control unit 32,flow management module 34,stateful inspection engine 28,protocol decoders 36, forwardingcomponent 31,output network interface 38, flow table 40, backupnetwork device interface 42, andsecurity management module 45. Although three distinct network interfaces are depicted in the example ofFIG. 2 , other examples may include a single network interface that performs the functions attributed toinput network interface 30,output network interface 38, and/or backupdevice network interface 42. -
Security management module 45 presents a user interface by whichadministrator 43 configuresprimary IDP device 16. For example,administrator 43 may configureprimary IDP device 16 to monitor particular subnets of the enterprise network. In addition,security management module 45 presents a user interface by whichadministrator 43 may specifyattack definitions 44, whichsecurity management module 45 relays tostateful inspection engine 28. In one example,attack definitions 44 comprise compound attack definitions. Moreover,security management module 45 may present a user interface by whichadministrator 43 may modify assumptions regarding packet flow characteristics, such as the highest priority packet flows for monitoring, port bindings for applications, or other features of determining a type of application and protocol associated with the packet flow. - In the illustrated example,
primary IDP device 16 includes a forwardingplane 23 that transparently monitorsinbound network traffic 25 and forwards the network traffic asoutbound network traffic 26. In the example illustrated byFIG. 2 , forwardingplane 23 includesinput network interface 30,flow management module 34,stateful inspection engine 28, a plurality ofprotocol decoders 36, forwardingcomponent 31,output network interface 38, and backupdevice network interface 42. -
Primary IDP device 16 comprisescontrol unit 32 that executesflow management module 34 andprotocol decoders 36.Control unit 32 may comprise any combination of hardware, firmware, and/or software for performing the functions attributed to controlunit 32. For example,control unit 32 may comprise a programmable processor that executes instructions stored in a computer-readable storage medium.Primary IDP device 16 may comprise a computer-readable storage medium encoded with instructions forflow management module 34 and/orprotocol decoders 36. Alternatively,flow management module 34 and/orprotocol decoders 36 may comprise discrete hardware units, such as digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, or any combination of hardware, firmware, and/or software. - In general,
flow management module 34 determines, for packets received viainput network interface 30, a packet flow to which the packets belong and characteristics of the packet flow.Flow management module 34 also provides session state updates, e.g., event updates and, for length encoded protocols, sequence number updates, actions taken with respect to a particular network device, packet flow, or network session (e.g., block, rate limit, time to block, etc.), or other state updates, tobackup IDP device 20 for each packet flow. For each packet flow,flow management module 34 provides state updates tobackup IDP device 20 for each packet flow event. For packet flows corresponding to length-encoded application-layer protocols,primary IDP device 20 provides application-layer IDP state update messages at each new transaction to identify the TCP sequence number corresponding to a first packet of a next transaction. - When a packet flow is first received,
flow management module 34 constructs a state update message including information regarding the packet flow that indicates that a new packet flow has begun and is being monitored byprimary IDP device 16. The state update message includes information such as, for example, the five-tuple {source IP address, destination IP address, source port, destination port, protocol}, and in some examples, an indication of how transactions are differentiated (e.g., whether defined length transactions or delimiters used to separate transactions, which particular delimiters are used, lengths of transactions, etc.)Flow management module 34 also sends application-layer IDP state update messages when an application corresponding to the packet flow is identified, where the message includes an identification of the application. -
Flow management module 34 receivesinbound traffic 25 and identifies network flows within the traffic. Each network flow represents a flow of packets in one direction within the network traffic and is identified by at least a source address, a destination address and a communication protocol.Flow management module 34 may utilize additional information to specify network flows, including source media access control (MAC) address, destination MAC address, source port, and destination port. Other examples may use other information to identify network flows, such as IP addresses. -
Flow management module 34 maintains data within flow table 40 that describes each active packet flow present within the network traffic. Flow table 40 specifies network elements associated with each active packet flow, i.e., low-level information such as source and destination devices and ports associated with the packet flow. In addition, flow table 40 identifies pairs or groups of packet flows that collectively form a single communication session between a client and server. For example, flow table 40 may designate communication session as pairs of packet flows in opposite directions for flows sharing at least some common network addresses, ports and protocol. -
Flow management module 34 maintains flow table 40, which includes parameters of each packet flow monitored byprimary IDP device 16. As described in greater detail with respect to the example ofFIG. 4 below, flow table 40, in one example, includes entries for each packet flow that include information such as packet flow identifying information, such as the five-tuple {source IP address, destination IP address, source port, destination port, protocol), an identification of the application corresponding to the packet flow, whether the packet flow is active or blocked, and how transactions are differentiated (e.g., whether delimiters or transaction lengths are used). Flow table 40 generally includes an entry for each packet flow monitored byprimary IDP device 16. - When
primary IDP device 16 receives a new packet flow,flow management module 34 extracts data from packets forming a three-way handshake of the packet flow to create a new entry in flow table 40. The three-way handshake generally includes a synchronization (SYN) packet from a client to a server, a synchronization-acknowledgement (SYN-ACK) packet from the server to the client, and an acknowledgement (ACK) packet from the client to the server. These packets also include session information, such as an initial sequence numbers for both the client (in the SYN packet) and the server (in the SYN-ACK packet). - Likewise,
primary IDP device 16 begins inspecting packets of a new packet flow to identify an application-layer protocol for the packet flow. Upon identifying the protocol,primary IDP device 16 sends an IDP state update message tobackup IDP device 20 via backup device network interface, where the IDP state update message identifies the new packet flow and includes an identification of the application-layer protocol that has been identified as used within the payload of the packets. In general, the manner in which transactions are differentiated is defined by the application-layer protocol. In some examples, though,primary IDP device 16 explicitly informsbackup IDP device 20 of the manner in which transactions are differentiated, using the state update message that indicates the identified application-layer protocol. In some examples,primary IDP device 16 includes in the state update message indicating the identified protocol whether the manner in which transactions are differentiated includes the use of delimiters, in which caseprimary IDP device 16 may further indicate which delimiters are used, or the use of defined lengths of transactions, in which caseprimary IDP device 16 may further indicate the length of each transaction in the state update message or in individual messages for each new transaction. -
Flow management module 34 determines whether transactions are defined using delimiters or fixed length sequences of bits/bytes. In examples in which delimiters are used to indicate the separation between transactions,flow management module 34 also determines which delimiters apply to a protocol determined to correspond to the packet flow. In some examples,flow management module 34 determines the manner in which transactions are differentiated for the protocol (e.g., by looking for common delimiters such as new line and carriage return characters), while in other examples,control unit 32 determines how to distinguish transactions from each other based solely on the application-layer protocol identification.Flow management module 34 updates the entry corresponding to a packet flow when parameters for the packet flow change. -
Backup IDP device 20 also includes a local flow table similar to flow table 40. Whenflow management module 34 determines that a received packet forms part of a new packet flow,flow management module 34 sends the extracted information from the three-way handshake packets of the new packet flow (e.g., the packet flow identifying 5-tuple) tobackup IDP device 20 viadata link 18.Backup IDP device 20 creates a new entry for the new packet flow in the local flow table using data received fromflow management module 34 ofprimary IDP device 16. In some examples, this information also includes the initial sequence number of the packet flow. Whenbackup IDP device 20 receives application-layer IDP state updates fromprimary IDP device 16,backup IDP device 20 updates a corresponding entry in the local flow table ofbackup IDP device 20. - When
primary IDP device 16 switches over or fails over tobackup IDP device 20,backup IDP device 20 begins receiving packets of packet flows previously monitored byprimary IDP device 16.Backup IDP device 20 scans received packets of a packet flow to identify the beginning of a new application-layer transaction of the packet flow, e.g., by identifying a transaction delimiter within the application-layer data carried by the payload of the packet. In examples in which application-layer transactions of a packet flow have a defined length in bytes, such as for length-encoded protocols,backup IDP device 20 determines that a packet having a sequence number equal to the sequence number of the last state update message fromprimary IDP device 16 corresponds to the first packet of a new transaction. Whenbackup IDP device 20 detects the first packet of a new transaction,backup IDP device 20 begins processing the new transaction to detect attacks in subsequent packets of the packet flow. In some examples,backup IDP device 20 forwards packets of the packet flow that are not part of the new application-layer transaction without inspecting these packets. In some examples,backup IDP device 20 drops the packets that are received before the new transaction. In this manner, following switchover or failover,backup IDP device 20 begins in an anchoring mode, awaits the start of a new application-layer transaction, anchors an application-layer protocol decoder to a point in the application-layer data where the new transaction begins, then switches to an attack detection and prevention mode and scans subsequent transactions using application layer component-based DFAs to attempt to identify and prevent malicious network traffic. - As described in further detail below,
stateful inspection engine 28 inspects packet flows to identify attacks within the packet flows. In accordance with the techniques of this disclosure,stateful inspection engine 28 inspects the packet flow to detect attacks operating at the application layer for the packet flows. Whenstateful inspection engine 28 detects an attack,stateful inspection engine 28 executes a programmed response, such as sendingalert 41 tosecurity management module 45 or instructingforwarding component 31 to drop packets of the packet flow or to end the network session corresponding to the packet flow.Stateful inspection engine 28 may also rate-limit the packet flow, i.e., throttle network sessions corresponding to detected attacks to a certain bitrate, such as 10 Mbits/second.Attack detection module 52 may also record an identifier of at least one of the network devices participating in the network session in flow table 35 and block future connection requests originating from the recorded identifier. That is,flow management module 34 may receive a connection request, determine that the connection request originates from the identifier recorded in flow table 40, and block the connection request. - In this manner,
primary IDP device 16 may block future connection requests from the network device participating in the network session as the programmed response.Forwarding component 31 may also construct a message to send to other network devices, such as other routers or IDP, IDS, or IPS devices, to block or otherwise respond to packet flows from the source network device for whichstateful inspection engine 28 detected an attack.Alert 41 may include details such as a source address of the packet flow, an identification of the application corresponding to the packet flow, the scores calculated for the metrics of the network session that ledstateful inspection engine 28 to conclude that a particular network session was malicious, or other information regarding the network session. -
Primary IDP device 16 may use a minimum data size of the reassembled TCP segments, in addition to the signature, in order to identify applications corresponding to packet flows or encapsulated packet flows. Certain applications require a minimum amount of data, soprimary IDP device 16 may distinguish malicious packet flows by determining whether the packet flow contains enough data for the identified protocol. Moreover,primary IDP device 16 may not necessarily recognize every application. In one example, when an application is unknown,primary IDP device 16 may simply forward the packet flow. Other examples take other actions for unidentified applications, however, such as discarding all packets which target unknown applications or applying a default signature to all packet flows associated with unknown application types. Other examples also apply the techniques of this disclosure to other protocols, such as the user datagram protocol (UDP).Primary IDP device 16 accordingly may require a minimum data size of UDP segments in order to identify the application associated with the UDP segments. - In one example,
stateful inspection engine 28 includes a co-processor to perform application identification. The co-processor may continually receive input in the form of the packet flow and may constantly perform application identification on the packet flow. For each chunk of the packet flow, the co-processor may return the identity or identities the application(s) that the co-processor identified. - In general,
protocol decoders 36 include a set of one or more protocol-specific software modules that process application-layer communications 33 and output transaction data 39 that identifies application-layer transactions. In particular, transaction data 39 indicate when a series of related application-layer communications between two peer devices start and end. Additionally the protocol decoders decompose a transaction into application layer elements on which attack signatures are matched and protocol anomalies are detected. In one example, one or more ofprotocol decoders 36 may be generic protocol decoders, such that the generic protocol decoders attempt to identify the application corresponding to the payload of an application-layer communication 33. An example of a generic protocol decoder is an algorithm that matches a predefined set of application fingerprints/signatures to the data being decoded and identifies the application based on a particular fingerprint match. For example, a generic protocol decoder may attempt to identify the application corresponding to the payload of an HTTP communication. - Many of
protocol decoders 36 correspond to a different communication protocol or service. Examples of communication protocols that may be supported byprotocol decoders 36 include the HyperText Transfer Protocol (HTTP), the File Transfer Protocol (FTP), the Network News Transfer Protocol (NNTP), the Simple Mail Transfer Protocol (SMTP), Telnet, Domain Name System (DNS), Gopher, Finger, the Post Office Protocol (POP), the Secure Socket Layer (SSL) protocol, the Lightweight Directory Access Protocol (LDAP), Secure Shell (SSH), Server Message Block (SMB) and other protocols. In one example, each ofprotocol decoders 36 receives data via a universal software interface, i.e., a software interface that processes application data in a manner that is independent from the underlying transport mechanism. In this way, protocol decoders may be swapped, reused and stacked (layered) when applied to a given packet flow. - After application of
protocol decoders 36 to a given packet flow or individual packet, the protocol decoders return transaction data 39, application-layer elements 35, and protocol anomaly data 37 tostateful inspection engine 28.Stateful inspection engine 28 appliesattack definitions 44 to protocol-specific application-layer elements 35 and anomaly data 37 to detect and prevent network attacks and other security risks. - In the event a security risk is detected,
stateful inspection engine 28 outputs alert 41 tosecurity management module 45 for logging and further analysis. In addition,stateful inspection engine 28 may take additional actions according to a policy definition, such as dropping the packets associated with the communication session, automatically closing the communication session or other action. If no security risk is detected for a given communication session, forwardingcomponent 31 continues to forward the packet flows between the peers.Forwarding component 31 may, for example, maintain a routing table that stores routes in accordance with a topology of the enterprise network for use in forwarding the packet flows. Whenstateful inspection engine 28 determines that only one or an incomplete subset of a plurality of encapsulated sub-packets corresponds to a malicious network session, forwardingcomponent 31 may forward a reassembled packet comprising only those sub-packets that do not correspond to malicious network sessions. -
Stateful inspection engine 28 ofprimary IDP device 16 inspects packets received for each packet flow. For example,stateful inspection engine 28 may execute one or more DFAs for each application-layer transaction within a packet flow to determine whether the transaction corresponds to a network attack. In general, definitions of the DFAs are stored inattack definitions 44. Attackdefinitions 44 define one or more attacks, e.g., in the form of attack signatures, which correspond to regular expressions. By executing a DFA for a transaction of the packet flow,stateful inspection engine 28 determines whether the transaction represents an attack. - In general, a DFA comprises a plurality of states, an input alphabet, and a plurality of transitions defined from a first state to a second state based on a particular input character. Some examples of
stateful inspection engine 28 utilize a nondeterministic finite automata (NFA), which enables lambda transitions between states, that is, enabling a transition between a first state and a second state without an input character. In general, a DFA (or NFA) "accepts" an input sequence when, starting from an initial start state, the DFA processes a sequence of tokens that cause the DFA to transition to and end in one of one or more accept states. In some examples, particular accept states of the DFA are defined as attack states, and when the DFA accepts an input sequence in an attack state,stateful inspection engine 28 determines that the packet flow comprising the one or more packets is malicious, while other accept states are defined as non-malicious accept states. - When
stateful inspection engine 28 determines that one or more packets of a packet flow represent a network attack according toattack definitions 44,stateful inspection engine 28 performs one or more programmed responses. The programmed response may comprise, for example, dropping the attack packets, rate-limiting the packet flow, closing a network session associated with the packet flow, sending a close session message to either the client or the server (or both) of the network session, blocking future network connection requests by either the client or the server (permanently or for a defined period of time), or advertising the IP address of either or both of the client or server to other network devices to cause those network devices to block network sessions of the client or server and/or to close current network sessions of the client or server. Whenattack detection module 32 determines that a packet of a packet flow does not represent a network attack,attack detection module 32 passes the packet to theforwarding component 31, and the packet is forwarded toward the destination of the packet flow. - Moreover, the programmed response corresponds to a packet flow event, namely a "block" event. Accordingly,
flow management module 34 generates a state update message indicating the corresponding packet flow, that a block event has occurred, and the programmed response that was taken. In this manner, following switchover or failover,backup IDP device 20 is able to continue enforcing the programmed response for the packet flow. -
FIG. 3 is a block diagram illustrating an example ofstateful inspection engine 28 ofprimary IDP device 16 in further detail. In the example,stateful inspection engine 28 includesreassembly module 50,application identification module 51,attack detection module 52, patterns table 54,data buffer 55, anomalies table 56, andattack definitions 44. -
Reassembly module 50 receivesinbound network traffic 25 and reassembles application-layer communications 33 from the packet flows by removing any underlying transport information (e.g., layer four (L4) information and below).Reassembly module 50 forwards the reassembled application-layer communications 33 toapplication identification module 51, which determines an application for the network session and then sends the reassembled data to theappropriate protocol decoders 36 for processing. -
Stateful inspection engine 28 stores attackdefinitions 44 received fromsecurity management module 45. Attackdefinitions 44 may be stored, for example, in a computer-readable medium, such as random access memory (RAM). Each ofattack definitions 44 specifies a combination of one or more patterns specified within patterns table 54 and one or more protocol-specific anomalies specified within anomalies table 56. - When
stateful inspection engine 28 receives a packet as part of a packet flow,reassembly module 50 buffers the packet indata buffer 55. In one example,data buffer 55 stores data as a sliding window. That is,data buffer 55 stores data until becoming full or reaching a specified required amount of minimum data for identification. When full,data buffer 55 discards certain data to make room for storing new data. In one example,data buffer 55 stores and discards data according to a first-in, first-out (FIFO) protocol wherein the first data to be stored is the first data to be discarded whendata buffer 55 becomes full. In another example,data buffer 55 discards data according to a least recently used protocol wherein, whendata buffer 55 is full, the packet flow which has been least recently used will be discarded to make room for new data to be stored. - In one example,
reassembly module 50 associates packets in a packet flow of a network session according to the 5-tuple {source IP address, destination IP address, protocol, source port, destination port}. Other examples use other methods to associate packets with a particular packet flow or encapsulated packet flow. In one example,primary IDP device 16 comprises part of a network that utilizes virtual local area networks (VLANs). Accordingly,reassembly module 50 may associate packets in a packet flow according to a VLAN identifier, a source address, and a destination address. -
Application identification module 51 attempts to identify an application associated with each of the intercepted communication sessions. In one embodiment, whenstateful inspection engine 28 receives a packet as part of a packet flow,reassembly module 50 buffers the packet indata buffer 55.Reassembly module 50 attempts to reconstruct application layer data from the packets indata buffer 55.Application identification module 51 then attempts to identify the application associated with the packets in accordance with this reconstructed data. In other embodiments,application identification module 51 may use other techniques to attempt to identify the application associated with the communication session. -
Application identification module 51 sends data from the packets toprotocol decoders 36. Whenapplication identification module 51 is able to determine the application associated with the communication session,application identification module 51 sends data from the communication session to a corresponding one ofprotocol decoders 36. Whenapplication identification module 51 is not able to identify an application corresponding to the communication session,application identification module 51 sends the data from the communication session to a default protocol decoder ofprotocol decoders 36. -
Protocol decoders 36 include decoders for various application-layer protocols that are used to extract transaction data 39, application-layer elements 35, and protocol anomaly data 37. In some examples,protocol decoders 36 use delimiters or a defined length of transactions to determine sections of the reassembled application-layer data that correspond to individual transactions. Moreover, whenprotocol decoders 36 detect the start of a new transaction for length-encoded protocols that define lengths of transactions,protocol decoders 36 signalflow management module 34 that a new transaction has been detected and a packet in which the beginning of the new transaction was detected. Accordingly,flow management module 34 calculates a sequence number corresponding to a packet that includes data for the start of a next new transaction and sends the calculated sequence number tobackup IDP device 20 in a state update message. -
Attack detection module 52 appliesattack definitions 44 to application-layer elements 35 and protocol anomaly data 37 received fromprotocol decoders 36 that comprise individual application-layer transactions. The application-layer elements 35 may comprise application-layer elements of non-encapsulated packet flows or encapsulated packet flows (e.g., a communication session where a layer seven application-layer protocol is used to encapsulate another application-layer protocol). That is,attack detection module 52 may detect network attacks in either normal, non-encapsulated network traffic or in encapsulated packet flows. For each ofcompound attack definitions 44,attack detection module 52 selects the one or more patterns within patterns table 52 specified by the compound attack definition and determines whether any of application-layer elements 35 match the defined patterns. Each of the patterns may be defined as a respective "regular expression," which generally refers to a formula that is used to match patterns within data. - In addition to determining whether the defined patterns are present,
attack detection module 52 may determine whether any protocol anomalies detected byprotocol decoders 36 match the protocol anomalies specified byattack definitions 44.Attack detection module 52 determines that the corresponding packet flow matches one ofattack definitions 44 when both the patterns and protocol anomalies specified by the attack definition are detected within a given communication session. Further, each ofattack definitions 44 may specify whether the pattern matching and protocol anomalies are applied on a per-transaction basis or over the lifetime of the communication session. - In the event a security risk is detected,
stateful inspection engine 28 outputs alert 41 to security management module 45 (FIG. 2 ) for logging and further analysis.Stateful inspection engine 28 may also direct forwardingcomponent 31 to execute a programmed response to the security risk. The programmed response may include automatically dropping packets of the packet flow associated with the application-layer communications within which the network attack was detected.Stateful inspection engine 28 may also causeforwarding component 31 to send a close session message to one or more participants in the malicious network session as the programmed response. -
FIG. 4 is a block diagram illustrating example sub-components offlow management module 34 and an exampleflow table entry 60A of flow table 40. In the example ofFIG. 4 ,flow management module 34 comprises packet parser 61. Whenflow management module 34 first receives a packet, packet parser 61 parses the packet to determine whether the packet belongs to an existing packet flow or whether the packet represents a new packet flow. Packet parser 61 determines that SYN packets and SYN-ACK packets represent new packet flows. That is, packet parser 61 checks a SYN flag of a TCP header of a packet to determine whether the packet represents a new packet flow. In some examples, packet parser 61 determines that a packet having a 5-tuple {source IP address, destination IP address, source port, destination port, protocol} that does not match any entries of flow table 40 also represents a new (that is, unrecognized) packet flow. - When a packet represents a new packet flow, packet parser 61 extracts information regarding the new packet flow.
Flow management module 34 creates a new entry in flow table 40 for the new packet flow and stores the extracted information in the new entry. In general, flow table 40 includes a plurality of flow table entries 60, although only one entry (flowtable entry 60A) is shown inFIG. 4 for purposes of explanation.Flow table entry 60A includes data representative of a respective packet flow. In this example, flowtable entry 60A includes valuessource IP address 62A,destination IP address 64A,source port 66A,destination port 68A,protocol 70A, identifiedapplication 72A,DFA state 74A, end-of-transaction identifier 76A, and application-layer IDP state 78A. - Packet parser 61 extracts the source IP address, destination IP address, source port, destination port, and protocol values from initial packets of a new network session, e.g., the SYN, SYN-ACK, and ACK packets forming the three-way handshake to initiate a new TCP session. After creating a new entry in flow table 40 representing a new packet flow and setting application-layer IDP state 78 of the new entry to "created,"
flow management module 34 sends one or more messages tobackup IDP device 20 to indicate that a new packet flow has been identified. The messages also include the data used to create the new flow table entry. Accordingly,backup IDP device 20 creates an entry in a flow table local tobackup IDP device 20 representative of the new packet flow. - When combined to form a five-tuple, the values
source IP address 62A,destination IP address 64A,source port 66A,destination port 68A, andprotocol 70A identify the packet flow to whichflow table entry 60A corresponds. Accordingly, whenflow management module 34 receives a packet, packet parser 61 extracts the source IP address, destination IP address, source port, destination port, and protocol of the packet to determine to which entry of flow table 40 the packet corresponds. Upon identifying an existing entry in flow table 40 for the packet,stateful inspection engine 38 extracts DFA state 74 from the corresponding entry 60 of flow table 40, executes the DFA using application-layer data of the packet (extracted from the packet by protocol decoders 36), and updates the value of DFA state 74 accordingly. -
Protocol decoders 36 inspect each received packets to determine whether the packet represents part of a particular transaction, e.g., a current transaction or a new transaction, or a delimiter between transactions. In examples for which delimiters indicate a separation between transactions,protocol decoders 36 determines that a packet following a delimiter corresponds to a packet of a new transaction. Likewise,protocol decoders 36 determine that a packet preceded by a delimiter corresponds to a last packet of a transaction. In examples in which transactions are defined by a particular length, e.g., a set number of bytes,protocol decoders 36 determine that a packet having a sequence number that is one transaction-length greater than the sequence number of the beginning of a previous transaction corresponds to a new transaction. In some examples,protocol decoders 36 further determine whether an application layer element at the start of the new transaction is valid for the application protocol for the network session. For example, for HTTP, in addition to looking for new line/carriage return characters,protocol decoders 36 may also ensure that the start of the new transaction is a GET, POST, HEAD, or other HTTP transaction to confirm that the delimiter indeed was intended to separate transactions, and was not part of the content of the previous transaction. Upon detecting a new transaction, in examples that use defined lengths of transactions,flow management module 34 calculates the sequence number of the next transaction, generates a state update message that includes the sequence number of the next transaction, and sends the state update message tobackup IDP device 20. - As discussed above, a DFA comprises a plurality of states and transitions between the states based on input characters. Stateful inspection engine 28 (
FIG. 2 ) records a current DFA state for a current transaction inDFA state 74A. Accordingly, when a subsequent packet of the current transaction is received and processed,stateful inspection engine 28 processes the data of the packet and updates the value ofDFA state 74A accordingly. In some examples,stateful inspection engine 28 recognizes a plurality of different DFAs. In such examples,stateful inspection engine 28 also records an identifier of a DFA to which the current transaction corresponds inDFA state 74A, e.g., as a tuple represented by {DFA_identifier, DFA_state}. - When a received packet is part of an existing (that is, recognized) packet flow,
protocol decoders 36 extract one or more characters from the application-layer payload of the packet and passes the characters to stateful inspection engine 28 (FIG. 2 ).Stateful inspection engine 28 retrieves the current DFA and current DFA state from DFA state 74.Stateful inspection engine 28 then processes the input characters received fromprotocol decoder 36 to determine a resulting state in the corresponding DFA and records the DFA state in DFA state 74. When the packet is a last packet of the transaction, e.g., as determined byprotocol decoders 36,stateful inspection engine 28 determines whether the last DFA state is an "accept" state (e.g., to determine whether the transaction represents an attack, an error, or an acceptable input sequence) and updates DFA state 74 to reflect a DFA start state. - When the transaction is determined to represent an attack,
flow management module 34 sets the value of application-layer IDP state 78 of the corresponding entry 60 of flow table 40 to "blocked," and, in some examples, also records one or more programmed responses that were taken with respect to the packet flow, the source, and/or the destination of the packet flow in application-layer IDP state 78 of the corresponding flow table entry 60 of flow table 40. As discussed above,flow management module 34 also generates a state update message to indicate that the packet flow has been blocked, as well as one or more programmed responses that have been taken with respect to the packet flow, the source, and/or the destination. -
FIG. 5 is a flowchart illustrating an example method for creating a new flow table entry upon receiving a new packet flow. Initially,primary IDP device 16 receives packets indicative of a new packet flow (100). In general,primary IDP device 16 determines that a packet flow is a new packet flow upon receiving a SYN packet of the packet flow from a client, e.g., one of source devices 12 (FIG. 1 ), destined for a server, e.g., one of destination devices 24 (FIG. 1 ).Primary IDP device 16 also receives a SYN-ACK packet from the server in response to the SYN packet, and an ACK packet from the client in response to the SYN-ACK packet. In general, the SYN, SYN-ACK, and ACK packets are referred to as the three-way handshake packets. It should be noted that the SYN packet and the SYN-ACK packet belong to different packet flows, but to the same network session.Primary IDP device 16 associates the two packet flows with the same network session using source and destination IP addresses, source and destination port numbers, and a protocol of each packet flow - In particular, packet parser 61 parses received packets to determine whether the SYN and/or ACK flags of these packets are set. Packet parser 61 determines that packets with the SYN and/or ACK flags set are three-way handshake packets of respective new packet flows of a new network session. Packet parser 61 parses three-way handshake packets to determine, for the packet flows associated with the three-way handshake packets, a source of the packet flow including a source IP address and a source port, a destination of the packet flow including a destination IP address and a destination port, and an identified protocol of the packet flow (102). After identifying this information of a new packet flow,
flow management module 34 constructs a new entry 60 of flow table 40 to record the identified 5-tuple and sets the application-layer IDP state to "created" (104).Flow management module 34 also constructs a state update message that includes the 5-tuple and sends the state update message to backup IDP device 20 (106), which constructs a similar new entry in a local flow table ofbackup IDP device 20. - Next,
primary IDP device 16 executes an application identification process to determine an application-layer protocol for the packet flow (108). In some examples, determining the application-layer protocol further comprises performing application identification to identify an application corresponding to the packet flow, e.g., a web browser, an e-mail client, an FTP (file transfer protocol) client, a peer-to-peer file sharing client, or other network application.Primary IDP device 16 also determines how transactions are differentiated for the packet flow (110). In some examples, the determined application-layer protocol itself defines how transactions are differentiated, e.g., whether the transactions are delimited using new line, line feed, and/or carriage return characters, or whether transactions are of a defined length, e.g., for binary protocols. - The transaction differentiation type corresponds to at least one of a delimiter or a transaction length, and is determined as a factor of the application-layer protocol determined to correspond to the packet flow, as well as the identified application corresponding to the packet flow. When the transaction differentiation type corresponds to a delimiter,
flow management module 34 also determines what delimiters are used to demarcate transactions, e.g., new line characters, carriage return characters, or the like. When the transaction differentiation type corresponds to a transaction length,flow management module 34 also determines the length of the transactions, e.g., as a number of bytes. In some examples, each transaction is of the same length, while in other transactions, the length of each transaction is dynamic and signaled, e.g., with a transaction header. In any case, after identifying the application-layer protocol and transaction differentiation type,flow management module 34 updates the corresponding flow table entry 60 in flow table 40 for the packet flow to indicate the identified application-layer protocol and the transaction differentiation type (112). -
Flow management module 34 also creates a state update message forbackup IDP device 20 including the identified application-layer protocol and the transaction differentiation type and sends the state update message tobackup IDP device 20 via backupdevice network interface 42 across data link 18 (114).Protocol decoders 36 then begin inspection of application-layer data of packets of the new packet flow (116). -
FIG. 6 is a flowchart illustrating an example method for sending state updates fromprimary IDP device 16 tobackup IDP device 20 for packet flows having length-encoded application-layer protocols. Initially,primary IDP device 16 receives a packet of an existing (recognized) packet flow (120).Flow management module 34 then inspects the packet to retrieve TCP information and updates the flow table entry corresponding to the packet flow in flow table 40 based on information retrieved from the packet (122). For example, packet parser 61 extracts the current sequence number andflow management module 34 updates the value of the end-of-transaction identifier value 76 in the corresponding flow table entry 60 of flow table 40 to reflect the current sequence number value. -
Protocol decoders 36 then determine whether the packet represents that a current transaction has been completed (124). That is,protocol decoders 36 determine whether the packet corresponds to a first packet of a next transaction by determining whether the sequence number of the packet matches a previously determined sequence number that corresponds to the first packet of a next transaction. - When
flow management module 34 determines that the transaction length value is available (e.g., can be determined or has been explicitly defined) ("YES" branch of 124),flow management module 34 constructs a state update message including a sequence number of a next transaction for the packet flow and sends the state update message tobackup IDP device 20 via backupdevice network interface 42 across data link 18 (126). In particular,primary IDP device 16 calculates a sequence number corresponding to the next transaction for the packet flow based on the current sequence number and the length of the current transaction. The state update message includes an identification of the packet flow associated with the update (e.g., the 5-tuple {source IP address, destination IP address, source port, destination port, and protocol} of the packet flow) and the sequence number for the first packet of the next transaction. - After receiving the sequence number update from primary IDP device 16 (128),
backup IDP device 20 updates the TCP information associated with the packet flow (130). Whenbackup IDP device 20 receives an update message,backup IDP device 20 identifies an entry in a local flow table ofbackup IDP device 20 corresponding to the packet flow associated with the update message (e.g., using the 5-tuple {source IP address, destination IP address, source port, destination port, and protocol}) and updates the information of the local flow table entry. In particular,backup IDP device 20 updates the sequence number for the next transaction in the local flow table.Primary IDP device 16 also inspects the packet to determine whether the packet represents a network attack (132). In some examples, the packet inspection occurs before checking whether the transaction has been completed. - When a switchover or failover does not occur ("NO" branch of 134),
primary IDP device 16 awaits another packet and then repeats the steps described above. However, when a switchover or failover occurs,backup IDP device 20 becomes active as a primary IDP device.Backup IDP device 20 then awaits the start of a new transaction, scanning packets of the packet flow until a new transaction is identified (136). In particular, as the method ofFIG. 6 corresponds to examples using defined length transactions,backup IDP device 20 determines whether the sequence number of a current packet is equal to the sequence number from the last state update message received fromprimary IDP device 16. When the sequence number of a received packet is equal to the last state update message,backup IDP device 20, acting as a primary IDP device, begins inspection of the packet flow (138). -
FIG. 7 is a flowchart illustrating an example method forbackup IDP device 20 to begin stateful inspection of packet flows following switchover or failover fromprimary IDP device 16 when delimiters are used to differentiate transactions. Initially,backup IDP device 20 becomes active as a result of switchover (150).Backup IDP device 20 may determine that switchover or failover has occurred in a number of ways. In various examples,backup IDP device 20 becomes active following an instruction fromprimary IDP device 16 to become active or whenbackup IDP device 20 does not receive a keepalive message fromprimary IDP 16 within an expected amount of time. - In any case, after
backup IDP device 20 becomes active,backup IDP device 20 begins receiving packets of packet flows previously inspected by primary IDP device 16 (152). For a received packet of the packet flow,backup IDP device 20 determines whether the packet includes a delimiter, e.g., a new line character or a carriage return character (154). When the packet does not include a delimiter ("NO" branch of 154),backup IDP device 20 forwards the packet (156) and receives a next packet of the packet flow (158).Backup IDP device 20 then again determines whether this next packet includes a delimiter (154). -
Backup IDP device 20 continues the loop represented by steps 154-158 until a packet is received that includes a delimiter ("YES" branch of 154). In some examples,backup IDP device 20 further performs a check to confirm that the application layer element following the delimiter conforms to a new transaction, to confirm that the delimiter was not intended as part of the previous transaction but was indeed intended to indicate the end of the transaction and the start of a new transaction. Upon receiving such a packet,backup IDP device 20 starts stateful inspection for the new transaction of the packet flow at a start state representative of a new transaction (160). In particular,backup IDP device 20 selects the DFA based on an identified application or application-layer protocol, as indicated by a state update message fromprimary IDP device 16, and anchors the DFA at the beginning of the new transaction.Backup IDP device 20 then begins application-layer inspection of packets of the packet flow (162). -
FIG. 8 is a flowchart illustrating another example method forbackup IDP device 20 to begin stateful inspection of packet flows following switchover or failover fromprimary IDP device 16 when transactions have defined lengths in order to differentiate transactions. Initially,backup IDP device 20 becomes active as a result of switchover (180).Backup IDP device 20 may determine that switchover or failover has occurred in a number of ways, as described above. - After
backup IDP device 20 becomes active,backup IDP device 20 begins receiving packets of packet flows previously inspected by primary IDP device 16 (182). It is assumed thatbackup device 20 has previously received a state update message fromprimary IDP device 16 that indicates the sequence number of the first packet of the next transaction of the packet flow. Accordingly,backup IDP device 20 checks the sequence number of each packet of the packet flow to determine whether the sequence number matches the received sequence number of the next transaction (184). If not ("NO" branch of 184),backup IDP device 20 forwards the packet (186) and awaits receipt of the next packet of the packet flow (188). -
Backup IDP device 20 continues the loop represented by steps 184-188 until a packet is received that has a sequence number equal to the sequence number of the first packet of the next transaction ("YES" branch of 186). Upon receiving such a packet,backup IDP device 20 starts stateful inspection for the new transaction of the packet flow at a start state representative of a new transaction (190). In particular,backup IDP device 20 selects the DFA based on an identified application or application-layer protocol, as indicated by a state update message fromprimary IDP device 16, and anchors the DFA at the beginning of the new transaction.Backup IDP device 20 then begins stateful inspection of packets of the packet flow (192). - Although generally described with respect to intrusion detection and prevention devices for purposes of example, it should be understood that the techniques of this disclosure can be implemented in any pair of stateful primary and backup devices in a high availability cluster, that is, any two network devices configured in cluster mode that are aware of session state. For example, other stateful security devices, e.g., firewalls, intrusion detection systems, intrusion prevention systems, data loss prevention (DLP) systems, web security gateways and extensible devices (such as routers and gateways) including a security card that performs stateful packet inspection, may be configured to perform the techniques of this disclosure. Moreover, non-security devices in a high availability environment may also be configured perform the techniques of this disclosure. For example, URL filtering devices configured in a cluster mode for providing high availability may be configured to implement the techniques of this disclosure. Other examples of non security devices include Traffic Monitoring systems, application performance management systems and lawful intercept systems.
- Descriptions of devices as "primary" and "backup" (or "active" and "passive") should be understood as indications of whether a particular device is actively or passively monitoring traffic of a particular packet flow. A device designated as "primary" or "backup" is not necessarily an indication that the device is "primary" or "backup" for all packet flows. In some arrangements, referred to as "active/passive" arrangements, one device is active, or primary, with respect to all packet flows, while another device is passive, or backup, and upon failover, the passive device becomes active. On the other hand, in other arrangements, referred to as "active/active" arrangements, a first device is active with respect to a first plurality of packet flows, a second device is active with respect to a second plurality of packet flows, the first device is passive with respect to the second plurality of packet flows, and the second device is passive with respect to the first plurality of packet flows. In this manner, the first device and the second device are each active with respect to at least one packet flow and passive with respect to at least one packet flow, and the first and second devices provide backup for each other. The techniques of this disclosure are generally applicable to both active/passive arrangements and active/active arrangements.
- The techniques described in this disclosure may be implemented, at least in part, in hardware, software, firmware or any combination thereof. For example, various aspects of the described techniques may be implemented within one or more processors, including one or more microprocessors, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, as well as any combinations of such components. The term "processor" or "processing circuitry" may generally refer to any of the foregoing logic circuitry, alone or in combination with other logic circuitry, or any other equivalent circuitry. A control unit comprising hardware may also perform one or more of the techniques of this disclosure.
- Such hardware, software, and firmware may be implemented within the same device or within separate devices to support the various operations and functions described in this disclosure. In addition, any of the described units, modules or components may be implemented together or separately as discrete but interoperable logic devices. Depiction of different features as modules or units is intended to highlight different functional aspects and does not necessarily imply that such modules or units must be realized by separate hardware or software components. Rather, functionality associated with one or more modules or units may be performed by separate hardware or software components, or integrated within common or separate hardware or software components.
- The techniques described in this disclosure may also be embodied or encoded in a computer-readable medium, such as a computer-readable storage medium, containing instructions. Instructions embedded or encoded in a computer-readable medium may cause a programmable processor, or other processor, to perform the method, e.g., when the instructions are executed. Computer readable storage media may include random access memory (RAM), read only memory (ROM), programmable read only memory (PROM), erasable programmable read only memory (EPROM), electronically erasable programmable read only memory (EEPROM), flash memory, a hard disk, a CD-ROM, a floppy disk, a cassette, magnetic media, optical media, or other computer-readable storage media. It should be understood that the term "computer-readable storage media" refers to physical storage media, and not signals or carrier waves, although the term "computer-readable media" may include transient media such as signals, in addition to physical storage media.
- Various examples have been described. These and other examples are within the scope of the following claims.
Claims (10)
- A method comprising:receiving, by a primary network device of a high-availability cluster, a packet of a network session, the packet comprising application-layer data;detecting, by the primary network device, a beginning of a new transaction from the application-layer data of the packet;calculating, by the primary network device, a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction;forwarding, by the primary network device, a state update message that includes the calculated sequence number to a backup network device for the primary network device of the high-availability cluster;receiving, by the backup network device of the high-availability cluster, the state update message from the primary network device of the high-availability cluster, wherein the state update message indicates the network session being inspected by the primary network device and an identified application-layer protocol for the network session;in response to determining, by the backup network device, that the primary network device has switched over or failed over to the backup network device, receiving, by the backup network device, a packet of the network session, the packet comprising application-layer data;detecting, by the backup network device, a beginning of a new transaction from the application-layer data of the packet; andprocessing, by the backup network device, the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of application-layer data that precede the beginning of the new transaction.
- The method of claim 1, wherein detecting, by the backup network device, the beginning of the new transaction comprises:determining a sequence number of the packet;comparing the sequence number of the packet to the sequence number of the next transaction from the state update message; anddetermining that the packet includes the beginning of the new transaction when the sequence number of the received packet matches the sequence number of the next transaction from the state update message.
- The method of claim 2, wherein detecting, by the backup network device, the beginning of a new transaction comprises determining that the application-layer data comprises a delimiter value that immediately precedes the beginning of the new transaction.
- The method of claim 3, wherein the delimiter value comprises at least one of a new line character, a line feed character, and a carriage return character.
- The method any of claims 2-4, wherein processing, by the backup network device, the packets comprises inspecting the application-layer data of the network session to determine whether any portion of the application-layer data corresponds to a network attack.
- The method of any preceding claim, wherein detecting, by the primary network device, the beginning of the new transaction comprises:calculating, prior to receiving the packet, a sequence number for a first packet of the new transaction;after receiving the packet, comparing the sequence number of the received packet to the calculated sequence number for the first packet of the new transaction; anddetermining that the sequence number of the received packet matches the calculated sequence number for the first packet of the new transaction.
- The method of claim 6, further comprising inspecting, by the primary network device, the application-layer data of the network session to determine whether any portion of the application-layer data represents a network attack.
- A computer-readable medium comprising instructions which, when executed by a high-availability cluster system comprising a primary network device and a backup network device, cause the high-availability cluster to perform the method of any of claims 1 to 7.
- A high-availability cluster system comprising:a primary network device comprising hardware; anda backup network device for the primary network device, wherein the backup network device comprises hardware,wherein the primary network device is configured to receive a packet of a network session, the packet comprising application-layer data, detect a beginning of a new transaction from the application-layer data of the packet, calculate a sequence number corresponding to a first packet of a next transaction of the network session, wherein the next transaction follows the new transaction, and forward a state update message that includes the calculated sequence number to the backup network device, andwherein the backup network device is configured to receive a state update message from a primary network device of a high-availability cluster of the backup network device, wherein the state update message indicates a network session being inspected by the primary network device and an identified application-layer protocol for the network session, and in response to determining that the primary network device has switched over or failed over to the backup network device, to receive a packet of the network session, the packet comprising application-layer data, detect a beginning of a new transaction from the application-layer data of the packet, and process the application-layer data of the network session that include and follow the beginning of the new transaction without performing stateful processing of application-layer data that precede the beginning of the new transaction.
- The high-availability cluster system of claim 9, further configured to perform the method of any of claims 2 to 7.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/684,725 US8291258B2 (en) | 2010-01-08 | 2010-01-08 | High availability for network security devices |
EP10186865.1A EP2343864B1 (en) | 2010-01-08 | 2010-10-07 | High availability for network security devices |
Related Parent Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP10186865.1A Division EP2343864B1 (en) | 2010-01-08 | 2010-10-07 | High availability for network security devices |
EP10186865.1A Division-Into EP2343864B1 (en) | 2010-01-08 | 2010-10-07 | High availability for network security devices |
Publications (2)
Publication Number | Publication Date |
---|---|
EP3823244A1 EP3823244A1 (en) | 2021-05-19 |
EP3823244B1 true EP3823244B1 (en) | 2023-08-23 |
Family
ID=43881222
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP10186865.1A Active EP2343864B1 (en) | 2010-01-08 | 2010-10-07 | High availability for network security devices |
EP20211030.0A Active EP3823244B1 (en) | 2010-01-08 | 2010-10-07 | High availability for network security devices |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP10186865.1A Active EP2343864B1 (en) | 2010-01-08 | 2010-10-07 | High availability for network security devices |
Country Status (3)
Country | Link |
---|---|
US (2) | US8291258B2 (en) |
EP (2) | EP2343864B1 (en) |
CN (1) | CN102123076B (en) |
Families Citing this family (152)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7634584B2 (en) | 2005-04-27 | 2009-12-15 | Solarflare Communications, Inc. | Packet validation in virtual network interface architecture |
US9059978B2 (en) | 2010-03-23 | 2015-06-16 | Fujitsu Limited | System and methods for remote maintenance in an electronic network with multiple clients |
CN102870392B (en) * | 2010-04-30 | 2016-07-13 | 交互数字专利控股公司 | Light weight protocol in network service and agency |
US8799422B1 (en) | 2010-08-16 | 2014-08-05 | Juniper Networks, Inc. | In-service configuration upgrade using virtual machine instances |
US9143386B1 (en) * | 2010-09-27 | 2015-09-22 | Sprint Communications Company L.P. | Remote keep-alive message management in a wireless communication network |
US8565108B1 (en) * | 2010-09-28 | 2013-10-22 | Amazon Technologies, Inc. | Network data transmission analysis |
CN103155497B (en) | 2010-10-15 | 2017-07-18 | 日本电气株式会社 | Communication system, control device, node, processing rule setting method and program |
US20120124431A1 (en) * | 2010-11-17 | 2012-05-17 | Alcatel-Lucent Usa Inc. | Method and system for client recovery strategy in a redundant server configuration |
US8868744B2 (en) * | 2010-11-24 | 2014-10-21 | International Business Machines Corporation | Transactional messaging support in connected messaging networks |
US8499348B1 (en) * | 2010-12-28 | 2013-07-30 | Amazon Technologies, Inc. | Detection of and responses to network attacks |
US8776207B2 (en) * | 2011-02-16 | 2014-07-08 | Fortinet, Inc. | Load balancing in a network with session information |
US9398033B2 (en) | 2011-02-25 | 2016-07-19 | Cavium, Inc. | Regular expression processing automaton |
WO2013020002A1 (en) | 2011-08-02 | 2013-02-07 | Cavium, Inc. | Incremental update of rules for packet classification |
US9021459B1 (en) | 2011-09-28 | 2015-04-28 | Juniper Networks, Inc. | High availability in-service software upgrade using virtual machine instances in dual control units of a network device |
US8806266B1 (en) | 2011-09-28 | 2014-08-12 | Juniper Networks, Inc. | High availability using full memory replication between virtual machine instances on a network device |
CN104025512B (en) * | 2011-11-01 | 2017-10-13 | 高通股份有限公司 | For the system and method by network security computer system wakeup |
US9203805B2 (en) * | 2011-11-23 | 2015-12-01 | Cavium, Inc. | Reverse NFA generation and processing |
CN102594623B (en) | 2011-12-31 | 2015-07-29 | 华为数字技术(成都)有限公司 | The data detection method of fire compartment wall and device |
US8776235B2 (en) | 2012-01-10 | 2014-07-08 | International Business Machines Corporation | Storage device with internalized anti-virus protection |
EP2661027A4 (en) * | 2012-01-21 | 2014-09-24 | Huawei Tech Co Ltd | Message forwarding method and device |
WO2013158920A1 (en) * | 2012-04-18 | 2013-10-24 | Nicira, Inc. | Exchange of network state information between forwarding elements |
US10536361B2 (en) | 2012-06-27 | 2020-01-14 | Ubiquiti Inc. | Method and apparatus for monitoring and processing sensor data from an electrical outlet |
US8943489B1 (en) * | 2012-06-29 | 2015-01-27 | Juniper Networks, Inc. | High availability in-service software upgrade using virtual machine instances in dual computing appliances |
CN102821100B (en) * | 2012-07-25 | 2014-10-29 | 河南省信息中心 | Method for realizing streaming file system based on security gateway of network application layer |
US9043914B2 (en) | 2012-08-22 | 2015-05-26 | International Business Machines Corporation | File scanning |
CN103685144A (en) * | 2012-08-31 | 2014-03-26 | 中兴通讯股份有限公司 | Media stream transmission method and device |
US9191399B2 (en) * | 2012-09-11 | 2015-11-17 | The Boeing Company | Detection of infected network devices via analysis of responseless outgoing network traffic |
US10332005B1 (en) * | 2012-09-25 | 2019-06-25 | Narus, Inc. | System and method for extracting signatures from controlled execution of applications and using them on traffic traces |
EP3751818A1 (en) | 2012-10-17 | 2020-12-16 | Tower-Sec Ltd. | A device for detection and prevention of an attack on a vehicle |
CN103841139B (en) * | 2012-11-22 | 2018-02-02 | 深圳市腾讯计算机系统有限公司 | Transmit the methods, devices and systems of data |
CN102938771B (en) * | 2012-12-05 | 2016-04-06 | 山东中创软件商用中间件股份有限公司 | A kind of method and system of network application fire compartment wall |
CN103001832B (en) * | 2012-12-21 | 2016-02-10 | 曙光信息产业(北京)有限公司 | The detection method of distributed file system interior joint and device |
US10452284B2 (en) * | 2013-02-05 | 2019-10-22 | International Business Machines Corporation | Storage system based host computer monitoring |
US9286047B1 (en) | 2013-02-13 | 2016-03-15 | Cisco Technology, Inc. | Deployment and upgrade of network devices in a network environment |
US8867343B2 (en) | 2013-03-15 | 2014-10-21 | Extrahop Networks, Inc. | Trigger based recording of flows with play back |
US8626912B1 (en) * | 2013-03-15 | 2014-01-07 | Extrahop Networks, Inc. | Automated passive discovery of applications |
CN103457927B (en) * | 2013-03-29 | 2018-01-09 | 深圳信息职业技术学院 | A kind of wireless base station of antivirus protection |
US10742604B2 (en) * | 2013-04-08 | 2020-08-11 | Xilinx, Inc. | Locked down network interface |
US9215129B2 (en) * | 2013-04-11 | 2015-12-15 | International Business Machines Corporation | Automatically constructing protection scope in a virtual infrastructure |
US20160157280A1 (en) * | 2013-04-24 | 2016-06-02 | Telefonaktiebolaget L M Ericsson (Publ) | Signalling reduction for ip traffic in wireless networks |
US9794275B1 (en) | 2013-06-28 | 2017-10-17 | Symantec Corporation | Lightweight replicas for securing cloud-based services |
US9426166B2 (en) | 2013-08-30 | 2016-08-23 | Cavium, Inc. | Method and apparatus for processing finite automata |
US9563399B2 (en) | 2013-08-30 | 2017-02-07 | Cavium, Inc. | Generating a non-deterministic finite automata (NFA) graph for regular expression patterns with advanced features |
US9426165B2 (en) | 2013-08-30 | 2016-08-23 | Cavium, Inc. | Method and apparatus for compilation of finite automata |
US9419943B2 (en) | 2013-12-30 | 2016-08-16 | Cavium, Inc. | Method and apparatus for processing of finite automata |
US9275336B2 (en) | 2013-12-31 | 2016-03-01 | Cavium, Inc. | Method and system for skipping over group(s) of rules based on skip group rule |
US9544402B2 (en) | 2013-12-31 | 2017-01-10 | Cavium, Inc. | Multi-rule approach to encoding a group of rules |
US9667446B2 (en) | 2014-01-08 | 2017-05-30 | Cavium, Inc. | Condition code approach for comparing rule and packet data that are provided in portions |
US9904630B2 (en) | 2014-01-31 | 2018-02-27 | Cavium, Inc. | Finite automata processing based on a top of stack (TOS) memory |
US9602532B2 (en) | 2014-01-31 | 2017-03-21 | Cavium, Inc. | Method and apparatus for optimizing finite automata processing |
US9154460B1 (en) * | 2014-02-12 | 2015-10-06 | Sonus Networks, Inc. | Methods and apparatus for denial of service resistant policing of packets |
US10110558B2 (en) | 2014-04-14 | 2018-10-23 | Cavium, Inc. | Processing of finite automata based on memory hierarchy |
US9438561B2 (en) | 2014-04-14 | 2016-09-06 | Cavium, Inc. | Processing of finite automata based on a node cache |
US10002326B2 (en) | 2014-04-14 | 2018-06-19 | Cavium, Inc. | Compilation of finite automata based on memory hierarchy |
US10164894B2 (en) * | 2014-05-05 | 2018-12-25 | Nicira, Inc. | Buffered subscriber tables for maintaining a consistent network state |
KR101946173B1 (en) * | 2014-08-19 | 2019-02-08 | 닛본 덴끼 가부시끼가이샤 | Communication device, communication system and communication method |
CN105636086A (en) * | 2014-10-28 | 2016-06-01 | 中兴通讯股份有限公司 | Network mode switching processing method, network mode switching processing device and terminal comprising network mode switching processing device |
WO2016113911A1 (en) * | 2015-01-16 | 2016-07-21 | 三菱電機株式会社 | Data assessment device, data assessment method, and program |
US9628504B2 (en) | 2015-03-09 | 2017-04-18 | International Business Machines Corporation | Deploying a security appliance system in a high availability environment without extra network burden |
US9967134B2 (en) | 2015-04-06 | 2018-05-08 | Nicira, Inc. | Reduction of network churn based on differences in input state |
US9338147B1 (en) | 2015-04-24 | 2016-05-10 | Extrahop Networks, Inc. | Secure communication secret sharing |
CN106576108B (en) * | 2015-04-30 | 2020-05-08 | 华为技术有限公司 | Communication method, equipment and system in communication system |
US10374904B2 (en) | 2015-05-15 | 2019-08-06 | Cisco Technology, Inc. | Diagnostic network visualization |
US9825954B2 (en) * | 2015-05-26 | 2017-11-21 | Holonet Security, Inc. | Stateful user device identification and binding for cloud application security |
US9800497B2 (en) | 2015-05-27 | 2017-10-24 | Cisco Technology, Inc. | Operations, administration and management (OAM) in overlay data center environments |
US9967158B2 (en) | 2015-06-05 | 2018-05-08 | Cisco Technology, Inc. | Interactive hierarchical network chord diagram for application dependency mapping |
US10142353B2 (en) | 2015-06-05 | 2018-11-27 | Cisco Technology, Inc. | System for monitoring and managing datacenters |
US10033766B2 (en) * | 2015-06-05 | 2018-07-24 | Cisco Technology, Inc. | Policy-driven compliance |
US10089099B2 (en) | 2015-06-05 | 2018-10-02 | Cisco Technology, Inc. | Automatic software upgrade |
US10536357B2 (en) | 2015-06-05 | 2020-01-14 | Cisco Technology, Inc. | Late data detection in data center |
CN106330988B (en) | 2015-06-16 | 2020-01-03 | 阿里巴巴集团控股有限公司 | Method and device for reissuing hypertext transfer request and client |
US10204122B2 (en) | 2015-09-30 | 2019-02-12 | Nicira, Inc. | Implementing an interface between tuple and message-driven control entities |
US9973394B2 (en) * | 2015-09-30 | 2018-05-15 | Netapp Inc. | Eventual consistency among many clusters including entities in a master member regime |
US10735438B2 (en) * | 2016-01-06 | 2020-08-04 | New York University | System, method and computer-accessible medium for network intrusion detection |
US10204211B2 (en) | 2016-02-03 | 2019-02-12 | Extrahop Networks, Inc. | Healthcare operations with passive network monitoring |
US9960952B2 (en) | 2016-03-17 | 2018-05-01 | Ca, Inc. | Proactive fault detection and diagnostics for networked node transaction events |
US11019167B2 (en) | 2016-04-29 | 2021-05-25 | Nicira, Inc. | Management of update queues for network controller |
US10104119B2 (en) * | 2016-05-11 | 2018-10-16 | Cisco Technology, Inc. | Short term certificate management during distributed denial of service attacks |
US10171357B2 (en) | 2016-05-27 | 2019-01-01 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10931629B2 (en) | 2016-05-27 | 2021-02-23 | Cisco Technology, Inc. | Techniques for managing software defined networking controller in-band communications in a data center network |
US10289438B2 (en) | 2016-06-16 | 2019-05-14 | Cisco Technology, Inc. | Techniques for coordination of application components deployed on distributed virtual machines |
US10659481B2 (en) * | 2016-06-29 | 2020-05-19 | Paypal, Inc. | Network operation application monitoring |
US9729416B1 (en) | 2016-07-11 | 2017-08-08 | Extrahop Networks, Inc. | Anomaly detection using device relationship graphs |
US10708183B2 (en) | 2016-07-21 | 2020-07-07 | Cisco Technology, Inc. | System and method of providing segment routing as a service |
US9660879B1 (en) | 2016-07-25 | 2017-05-23 | Extrahop Networks, Inc. | Flow deduplication across a cluster of network monitoring devices |
EP3747414A1 (en) | 2016-08-12 | 2020-12-09 | The Procter & Gamble Company | Method and apparatus for assembling absorbent articles |
US10972388B2 (en) | 2016-11-22 | 2021-04-06 | Cisco Technology, Inc. | Federated microburst detection |
US10541876B2 (en) | 2017-02-14 | 2020-01-21 | Nicira, Inc. | Inter-connecting logical control planes for state data exchange |
US10476673B2 (en) | 2017-03-22 | 2019-11-12 | Extrahop Networks, Inc. | Managing session secrets for continuous packet capture systems |
US10708152B2 (en) | 2017-03-23 | 2020-07-07 | Cisco Technology, Inc. | Predicting application and network performance |
US10523512B2 (en) | 2017-03-24 | 2019-12-31 | Cisco Technology, Inc. | Network agent for generating platform specific network policies |
US10764141B2 (en) | 2017-03-27 | 2020-09-01 | Cisco Technology, Inc. | Network agent for reporting to a network policy system |
US10250446B2 (en) | 2017-03-27 | 2019-04-02 | Cisco Technology, Inc. | Distributed policy store |
US10594560B2 (en) | 2017-03-27 | 2020-03-17 | Cisco Technology, Inc. | Intent driven network policy platform |
US10873794B2 (en) | 2017-03-28 | 2020-12-22 | Cisco Technology, Inc. | Flowlet resolution for application performance monitoring and management |
CN108984105B (en) * | 2017-06-02 | 2021-09-10 | 伊姆西Ip控股有限责任公司 | Method and device for distributing replication tasks in network storage device |
US11874845B2 (en) * | 2017-06-28 | 2024-01-16 | Fortinet, Inc. | Centralized state database storing state information |
US10680887B2 (en) | 2017-07-21 | 2020-06-09 | Cisco Technology, Inc. | Remote device status audit and recovery |
CN107426210A (en) * | 2017-07-25 | 2017-12-01 | 合肥红铭网络科技有限公司 | A kind of real-time traffic detection information storage method |
US10263863B2 (en) | 2017-08-11 | 2019-04-16 | Extrahop Networks, Inc. | Real-time configuration discovery and management |
US10063434B1 (en) | 2017-08-29 | 2018-08-28 | Extrahop Networks, Inc. | Classifying applications or activities based on network behavior |
US10554501B2 (en) | 2017-10-23 | 2020-02-04 | Cisco Technology, Inc. | Network migration assistant |
US10523541B2 (en) | 2017-10-25 | 2019-12-31 | Cisco Technology, Inc. | Federated network and application data analytics platform |
US9967292B1 (en) | 2017-10-25 | 2018-05-08 | Extrahop Networks, Inc. | Inline secret sharing |
US10594542B2 (en) | 2017-10-27 | 2020-03-17 | Cisco Technology, Inc. | System and method for network root cause analysis |
DE102017221889B4 (en) * | 2017-12-05 | 2022-03-17 | Audi Ag | Data processing device, overall device and method for operating a data processing device or overall device |
JP6873032B2 (en) * | 2017-12-28 | 2021-05-19 | 株式会社日立製作所 | Communication monitoring system, communication monitoring device and communication monitoring method |
US11233821B2 (en) | 2018-01-04 | 2022-01-25 | Cisco Technology, Inc. | Network intrusion counter-intelligence |
US11765046B1 (en) | 2018-01-11 | 2023-09-19 | Cisco Technology, Inc. | Endpoint cluster assignment and query generation |
US10917438B2 (en) | 2018-01-25 | 2021-02-09 | Cisco Technology, Inc. | Secure publishing for policy updates |
US10999149B2 (en) | 2018-01-25 | 2021-05-04 | Cisco Technology, Inc. | Automatic configuration discovery based on traffic flow data |
US10798015B2 (en) | 2018-01-25 | 2020-10-06 | Cisco Technology, Inc. | Discovery of middleboxes using traffic flow stitching |
US10826803B2 (en) | 2018-01-25 | 2020-11-03 | Cisco Technology, Inc. | Mechanism for facilitating efficient policy updates |
US10873593B2 (en) | 2018-01-25 | 2020-12-22 | Cisco Technology, Inc. | Mechanism for identifying differences between network snapshots |
US10574575B2 (en) | 2018-01-25 | 2020-02-25 | Cisco Technology, Inc. | Network flow stitching using middle box flow stitching |
US11128700B2 (en) | 2018-01-26 | 2021-09-21 | Cisco Technology, Inc. | Load balancing configuration based on traffic flow telemetry |
US10389574B1 (en) | 2018-02-07 | 2019-08-20 | Extrahop Networks, Inc. | Ranking alerts based on network monitoring |
US10264003B1 (en) | 2018-02-07 | 2019-04-16 | Extrahop Networks, Inc. | Adaptive network monitoring with tuneable elastic granularity |
US10038611B1 (en) | 2018-02-08 | 2018-07-31 | Extrahop Networks, Inc. | Personalization of alerts based on network monitoring |
US10270794B1 (en) | 2018-02-09 | 2019-04-23 | Extrahop Networks, Inc. | Detection of denial of service attacks |
US10116679B1 (en) | 2018-05-18 | 2018-10-30 | Extrahop Networks, Inc. | Privilege inference and monitoring based on network behavior |
CN108924652B (en) * | 2018-07-02 | 2020-04-28 | 四川长虹电器股份有限公司 | Method for detecting television signal change |
US10983880B2 (en) * | 2018-07-31 | 2021-04-20 | Hewlett Packard Enterprise Development Lp | Role designation in a high availability node |
US10411978B1 (en) | 2018-08-09 | 2019-09-10 | Extrahop Networks, Inc. | Correlating causes and effects associated with network activity |
US10594718B1 (en) | 2018-08-21 | 2020-03-17 | Extrahop Networks, Inc. | Managing incident response operations based on monitored network activity |
US10887207B2 (en) | 2018-10-29 | 2021-01-05 | Hewlett Packard Enterprise Development Lp | System and method for determining branch gateway device availability in computer networks |
CN109532954B (en) * | 2018-12-12 | 2022-01-28 | 中车长春轨道客车股份有限公司 | Method for implementing automatic backup of vehicle data |
CN111988346B (en) * | 2019-05-21 | 2021-10-22 | 新华三信息安全技术有限公司 | Data leakage protection equipment and message processing method |
US10965702B2 (en) | 2019-05-28 | 2021-03-30 | Extrahop Networks, Inc. | Detecting injection attacks using passive network monitoring |
US11405363B2 (en) | 2019-06-26 | 2022-08-02 | Microsoft Technology Licensing, Llc | File upload control for client-side applications in proxy solutions |
US11165814B2 (en) | 2019-07-29 | 2021-11-02 | Extrahop Networks, Inc. | Modifying triage information based on network monitoring |
US11388072B2 (en) | 2019-08-05 | 2022-07-12 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
US10742530B1 (en) | 2019-08-05 | 2020-08-11 | Extrahop Networks, Inc. | Correlating network traffic that crosses opaque endpoints |
CN110442368A (en) * | 2019-08-09 | 2019-11-12 | 北京空间技术研制试验中心 | A kind of in-orbit update method of manned spacecraft general purpose computing device software |
US11044174B2 (en) * | 2019-08-26 | 2021-06-22 | Citrix Systems, Inc. | Systems and methods for disabling services in a cluster |
US10742677B1 (en) | 2019-09-04 | 2020-08-11 | Extrahop Networks, Inc. | Automatic determination of user roles and asset types based on network monitoring |
US10701096B1 (en) * | 2019-09-23 | 2020-06-30 | Adlumin, Inc. | Systems and methods for anomaly detection on core banking systems |
US11245703B2 (en) | 2019-09-27 | 2022-02-08 | Bank Of America Corporation | Security tool for considering multiple security contexts |
CN111083215B (en) * | 2019-12-10 | 2022-08-09 | 深信服科技股份有限公司 | Session information synchronization method, device, equipment, system and storage medium |
US11165823B2 (en) | 2019-12-17 | 2021-11-02 | Extrahop Networks, Inc. | Automated preemptive polymorphic deception |
CN111988217B (en) * | 2020-08-31 | 2022-09-23 | Oppo广东移动通信有限公司 | Data interaction method and device, electronic equipment and storage medium |
US11463466B2 (en) | 2020-09-23 | 2022-10-04 | Extrahop Networks, Inc. | Monitoring encrypted network traffic |
EP4218212A4 (en) | 2020-09-23 | 2024-10-16 | Extrahop Networks Inc | Monitoring encrypted network traffic |
US11080294B1 (en) | 2021-02-03 | 2021-08-03 | Adlumin, Inc. | Systems and methods for data analytics |
US11349861B1 (en) | 2021-06-18 | 2022-05-31 | Extrahop Networks, Inc. | Identifying network entities based on beaconing activity |
US11296967B1 (en) | 2021-09-23 | 2022-04-05 | Extrahop Networks, Inc. | Combining passive network analysis and active probing |
US20230231797A1 (en) * | 2022-01-17 | 2023-07-20 | Juniper Networks, Inc. | Session state synchronization and failover using session-based routing |
US20230254225A1 (en) * | 2022-02-06 | 2023-08-10 | Arista Networks, Inc. | Generating hybrid network activity records |
US11843606B2 (en) | 2022-03-30 | 2023-12-12 | Extrahop Networks, Inc. | Detecting abnormal data access based on data similarity |
CN115348332B (en) * | 2022-07-08 | 2023-08-29 | 宜通世纪科技股份有限公司 | Method for reorganizing HTTP data stream session in signaling analysis scene |
CN115314268B (en) * | 2022-07-27 | 2023-12-12 | 天津市国瑞数码安全系统股份有限公司 | Malicious encryption traffic detection method and system based on traffic fingerprint and behavior |
CN116560571B (en) * | 2023-05-10 | 2024-05-07 | 上海威固信息技术股份有限公司 | Method and system for reading safety data of solid state disk |
Family Cites Families (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6397259B1 (en) * | 1998-05-29 | 2002-05-28 | Palm, Inc. | Method, system and apparatus for packet minimized communications |
US7020709B1 (en) * | 2000-06-30 | 2006-03-28 | Intel Corporation | System and method for fault tolerant stream splitting |
US20030101359A1 (en) * | 2001-11-29 | 2003-05-29 | International Business Machines Corporation | System and method for controlling invalid password attempts |
US7734752B2 (en) * | 2002-02-08 | 2010-06-08 | Juniper Networks, Inc. | Intelligent integrated network security device for high-availability applications |
US7316031B2 (en) * | 2002-09-06 | 2008-01-01 | Capital One Financial Corporation | System and method for remotely monitoring wireless networks |
US7373524B2 (en) * | 2004-02-24 | 2008-05-13 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user behavior for a server application |
JP4462969B2 (en) * | 2004-03-12 | 2010-05-12 | 株式会社日立製作所 | Failover cluster system and failover method |
US7515525B2 (en) * | 2004-09-22 | 2009-04-07 | Cisco Technology, Inc. | Cooperative TCP / BGP window management for stateful switchover |
US8006091B2 (en) * | 2005-01-10 | 2011-08-23 | Cisco Technology, Inc. | Method and apparatus to provide failover capability of cached secure sessions |
TWI312462B (en) * | 2006-04-07 | 2009-07-21 | Hon Hai Prec Ind Co Ltd | Network device and subscribers' states synchronizing method thereof |
US7773540B1 (en) * | 2006-06-01 | 2010-08-10 | Bbn Technologies Corp. | Methods, system and apparatus preventing network and device identification |
CN101114892A (en) * | 2006-07-28 | 2008-01-30 | 华为技术有限公司 | Packet backup method |
US8051326B2 (en) * | 2006-12-29 | 2011-11-01 | Futurewei Technologies, Inc. | System and method for completeness of TCP data in TCP HA |
US7904961B2 (en) | 2007-04-20 | 2011-03-08 | Juniper Networks, Inc. | Network attack detection using partial deterministic finite automaton pattern matching |
CN101394641B (en) * | 2007-09-18 | 2011-09-21 | 中兴通讯股份有限公司 | Main standby machine switching method oriented to user data |
US7957323B2 (en) * | 2008-04-21 | 2011-06-07 | Spirent Communications, Inc. | Methods and apparatus for evaluating the sequence of packets |
CN102035814B (en) * | 2009-09-30 | 2014-08-27 | 瞻博网络公司 | Method and device for guaranteeing service quality by VPN (Virtual Private Network) IPSEC (Internet Protocol Security) tunnel |
-
2010
- 2010-01-08 US US12/684,725 patent/US8291258B2/en active Active
- 2010-10-07 EP EP10186865.1A patent/EP2343864B1/en active Active
- 2010-10-07 EP EP20211030.0A patent/EP3823244B1/en active Active
- 2010-10-09 CN CN201010503151.0A patent/CN102123076B/en active Active
-
2012
- 2012-10-15 US US13/651,895 patent/US8635490B2/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN102123076A (en) | 2011-07-13 |
US8291258B2 (en) | 2012-10-16 |
EP3823244A1 (en) | 2021-05-19 |
US8635490B2 (en) | 2014-01-21 |
EP2343864A3 (en) | 2014-07-16 |
CN102123076B (en) | 2014-04-30 |
EP2343864B1 (en) | 2021-01-06 |
US20130042323A1 (en) | 2013-02-14 |
US20110173490A1 (en) | 2011-07-14 |
EP2343864A2 (en) | 2011-07-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3823244B1 (en) | High availability for network security devices | |
US9860210B1 (en) | Multi-layered application classification and decoding | |
US10033696B1 (en) | Identifying applications for intrusion detection systems | |
US9398043B1 (en) | Applying fine-grain policy action to encapsulated network attacks | |
US8959197B2 (en) | Intelligent integrated network security device for high-availability applications | |
US8363549B1 (en) | Adaptively maintaining sequence numbers on high availability peers | |
US7706378B2 (en) | Method and apparatus for processing network packets | |
EP1817685B1 (en) | Intrusion detection in a data center environment | |
US6487666B1 (en) | Intrusion detection signature analysis using regular expressions and logical operators | |
US8209756B1 (en) | Compound attack detection in a computer network | |
US7796515B2 (en) | Propagation of viruses through an information technology network | |
US20040148520A1 (en) | Mitigating denial of service attacks | |
Varadharajan | A practical method to counteract denial of service attacks | |
CN113132342A (en) | Method, network device, tunnel entry point device, and storage medium | |
US11070522B1 (en) | Removing anomalies from security policies of a network security device | |
WO2003050644A2 (en) | Protecting against malicious traffic | |
CA2469885A1 (en) | Protecting against malicious traffic | |
US8811179B2 (en) | Method and apparatus for controlling packet flow in a packet-switched network | |
KR20110009813A (en) | Attack monitoring and tracing system and method in all ip network environment | |
JP2004096246A (en) | Data transmission method, data transmission system, and data transmitter | |
Murray | Reverse discovery of packet flooding hosts with defense mechanisms | |
Paxson | Detecting Network Intruders in Real Time |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED |
|
AC | Divisional application: reference to earlier application |
Ref document number: 2343864 Country of ref document: EP Kind code of ref document: P |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE |
|
17P | Request for examination filed |
Effective date: 20211117 |
|
RBV | Designated contracting states (corrected) |
Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
17Q | First examination report despatched |
Effective date: 20220202 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 602010068996 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: H04L0029060000 Ipc: H04L0009400000 Ref country code: DE Ref legal event code: R079 Free format text: PREVIOUS MAIN CLASS: H04L0029060000 Ipc: H04L0009400000 |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04L 9/40 20220101AFI20230124BHEP |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
INTG | Intention to grant announced |
Effective date: 20230323 |
|
P01 | Opt-out of the competence of the unified patent court (upc) registered |
Effective date: 20230520 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AC | Divisional application: reference to earlier application |
Ref document number: 2343864 Country of ref document: EP Kind code of ref document: P |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602010068996 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG9D |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20230823 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 1603859 Country of ref document: AT Kind code of ref document: T Effective date: 20230823 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231124 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231223 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231226 Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231123 Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231223 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20231124 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20230920 Year of fee payment: 14 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602010068996 Country of ref document: DE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20231031 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20231007 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20231007 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20231031 |
|
26N | No opposition filed |
Effective date: 20240524 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20231031 Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20230823 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20231031 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20231007 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20240919 Year of fee payment: 15 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20240919 Year of fee payment: 15 |